TW200417216A - Control of access to a memory by a device - Google Patents

Abstract

The present invention provides a data processing apparatus and method for controlling access to a memory. The data processing apparatus has a secure domain and a non-secure domain, in the secure domain the data processing apparatus having access to secure data which is not accessible in the non-secure domain. The data processing apparatus comprises a device coupled to a memory via a device bus, and operable, when an item of data in the memory is required by the device, to issue onto the device bus a memory access request pertaining to either the secure domain or the non-secure domain. The memory is operable to store data required by the device, and contains secure memory for storing secure data and non-secure memory for storing non-secure data. In accordance with the present invention, the data processing apparatus further comprises partition checking logic coupled to the device bus and operable whenever the memory access request as issued by the device pertains to the non-secure domain, to detect if the memory access request is seeking to access the secure memory and upon such detection to prevent the access specified by that memory request. This approach significantly improves the security of data contained within a secure portion of memory.

Description

200417216 玖, [send first processor. Organizing applications Sensitive use of all application records We can try to ensure the application if it is complicated Invention Description: The technical field of the invention] The present invention relates to controlling the access of a device to a memory. [Previous Technology] A typical device for executing an application loaded on an information processing device includes a processor. Operating under the control of an operating system The data required to perform any particular application is usually stored in a memory of the information device. It will be understood that the data may contain instructions contained therein and / or actual data values used between those instructions regarding the processor. There are many examples here, when at least one piece of data is used by the applications, it should not be accessed by others that can execute on the processor. As an example, when the information processing device is a smart card, one use is a security application using sensitive data, such as security, to perform authentication, authentication, decryption, and so on. In such cases, it is clear that the importance of ensuring the security of such sensitive data prevents it from being accessed by other applications in the data processing equipment, such as access to the security data that has been loaded. Hacking application. In the system, it is the job of the developer of the operating system to ensure that the operating system can provide sufficient security. Security data that cannot be accessed by other applications executed under the control of the operating system. However, the system becomes more complicated, and the general tendency is that the operating system becomes larger, and in such cases, it is more difficult for the operating system itself to ensure sufficient security. Examples of systems seeking to provide secure storage against sensitive data and protection against malicious code are discussed in US patent applications US 2002/0007456 A1 and US patents US 6,292,874 Β and US 6,282,657 Β. Therefore, in order to seek to maintain the security of such security data contained in the memory of the data processing equipment, there is an urgent need to provide an improved technology.

[Summary of the Invention]

A first aspect of the present invention provides a data processing device having a security network domain and a non-security network domain. In the security network domain, the security data accessed by the data processing device cannot be stored in the non-security domain. A security domain accessor, the data processing device includes: a device bus; a device connected to the device bus and operating to issue a memory related to the security domain or the non-security domain A body access request; a memory connected to the device bus and operating to store data requested by the device, the memory including security memory for storing security data and non-security data Of non-secure memory. When the device requests a data item in the memory, the device is operable to issue a memory access request to the device bus; and segment detection logic, which is connected to the device bus, When the memory access request issued is related to the non-secure data, it is operable to detect whether the memory access request seeks to access the secure memory, and to prevent such memory requests by such detection Access. 4 200417216 According to the present invention, a device is connected to a memory by a body, and the π spread exchange bank is operable to issue a record with a security domain or a connection ^ a global domain The corresponding data Mj is used as a storage device to store two security memories including the security data used to store the security data and the transmutable memory that fetches all the data. When the device wants to save one item of wear: P1, it arranges for it to send a memory access request to 2 buses. According to the present invention, 'provide segmentation detection logic, its connection correlation = streaming' and as long as the memory access request issued by the device fetch request = security data 'is operable to detect whether the memory is stored X.. ~菔 u and use such detection to prevent access to such redundant memory requests. Therefore, the 'segmentation detection logic is arranged to supervise the access to the memory to ensure that the secure memory is accessed when a memory access request is sent to a non-secure domain. In one embodiment, the device may be operated in a majority mode, including at least one non-secure birth mode in a non-female full-scale domain and at least one non-secure domain in a non-secure domain. A security mode. Segmentation detection logic accesses the information about the division between memory and non-secure memory. I understand that in the embodiment, the segmentation information can be hardwired. Among them, Sumbus changes the entity between security memory and non-security memory. ^ ^ ^ ^, And in a preferred embodiment, when the ^ μ mode is set to work, the device can be set ^ ^ ^ ^] Of the secure memory and the non-secure memory, in such an embodiment, it is prepared to operate in a pre-defined female holistic mode ^ The device arranges the segmentation detection 5 logic. Therefore, If a malicious application installed on the device is intended to access the security data, the application cannot be executed in the security domain, and therefore it cannot change the segmentation information. Therefore, even if the application can output a Memory access request, which Attempting to access a location in the secure memory, the partition detection logic will detect that the application executing in a non-secure mode of the device attempts to access a secure memory location, and will prevent the access I will understand that there are a few different ways in which segmentation detection logic can receive information from the device about the domain to which the memory access request is related. However, in the preferred embodiment, the memory sent by the device The body access request includes a network domain signal that determines whether the memory access request is related to the secure network domain or the non-secure network domain. In one embodiment of the present invention, the network domain signal can therefore determine whether The device operates in a secure or non-secure domain, and therefore when the domain signal indicates that the device is operating in a non-secure domain, it can trigger the partition detection logic to check the memory access request. In the preferred embodiment, 'the segmentation detection logic does not perform any segmentation checks when the device is operating in a security domain, because in the preferred embodiment, when the When operating in sexual mode, the device can access both secure memory and non-secure memory. We will understand that in the memory storage method, the domain signal works together. It is better to report that the domain signal and therefore can only be installed by the device. The application that is executed in the request is declared. Therefore, an embodiment that can use many kinds of parties in the fetch request is to declare at the hardware level a malicious application that confirms that it can be executed on the device in the security domain. The 200417216 port cannot tamper with the network. Setting of the domain signal. In particular, in the preferred embodiment, the device has a predetermined pin for outputting a network domain signal to the device bus, and the network domain signal is set to indicate the device system in a predetermined state. Operate in a non-security mode. Therefore, in one embodiment, the network domain signal will be set only when the device is executing a security application in the security network domain: means: the device is in the security network domain The operation can only be performed when the domain sends the "Reset" & cut detection logic to allow access to the security data in the memory. Test logic. However, the conflict memory provided in the arbiter makes the segmentation detection and logic determination.

σ people will understand that this is enough to implement segmentation inspection in many ways. In the preferred embodiment, the segmentation detection logic connected to the device bus is performed between requests for access to the device bus body. Judge. We have found it easy to combine logic with an arbiter, and in fact also allow partitioning to check whether the arbiter agrees to a memory access request. 1 Α ρ π w Τ, device 4 operates in the control of a non-safety operating system, and

In the domain, the device operates under the control of a secure operating system. Sexual operating systems are usually much smaller than non-secure operating systems and are capable of controlling a security core with a security core. By this method < a security domain can be seen as providing a security context to enable certain sensitive operations to be performed in the i control context. Other applications can then remain in the security domain, which can be considered a non-security context. I will understand that the device can take many forms and that the exact number of such devices is connected to the bus. In the case where most devices are connected to Bus 7 200417216, when the device is operating in a security mode, each device that can operate in both security and #security modes can independently control the partition detection logic, in which In this case, the partition detection logic accesses partition information specific to each individual device. However, a preferred embodiment is that one of the devices is responsible for the management of the partition detection logic. In a preferred embodiment, at least one device is a chip cooperating with a processor. When the processor generates a memory access request, the chip further includes a memory management unit operable to execute one or Most of the predetermined access control functions are used to control the memory access requests issued to the device bus. One or most other parts of the data processing equipment may be provided on the same wafer or off-chip. People will understand that the memory connected to the device can take many forms, such as random access memory (RAM), read-only memory (ROM), a hard disk, registration in certain peripheral devices, etc. Wait. In addition to this type of memory, one will understand that when the device uses a chip connected to the system bus and processor to interact with it, there may also be some kind of memory connected to the system bus, for example, fast Fetch memory, TCM, and so on. Therefore, in some embodiments, the chip further includes a special memory connected to the processor via a system bus, the special memory is operable to store data required by the processor, and the special memory includes security Special 5 memory is used to store security data 'and non-secure special memory is used to store non-security data; and special segmentation detection logic connected to the system's bus, and when it is in the non-security domain The operating mode in the security mode is 200417216, and the memory and memory are streamlined. Include in the general form, such as under the general. Relative to some security. The security processor 'as long as the processor generates a memory access request, it checks whether the memory access request intends to access the secure memory or the security' to prevent such a memory access request by such detection For the memory connected to the system bus, the segmentation detection logic connected to the system cannot perform any segmentation detection function. In the embodiment, special segmentation detection logic is provided to ensure that when operating in the security mode, it cannot Access to any part of the security memory, whether or not it is a security-specific part connected to the device bus, or special memory containing security data. According to an embodiment of the present invention, the processor operates in most modes in non- At least one non-security mode in the security domain and at least one security mode in the domain. When operating on a non-secure operating system, the processor is a control operating on a non-secure operating system, a standard pre-existing operating system. However, when operating in a mode, the processor operates on a secure operating system rather than a non-secure operating system. The secure operating system is the smallest in size and has a form of a security core to perform full operation. Sexual function. With the above method, the safety domain can be used by a female full-sexual context to perform certain sensitive tasks in a controlled environment. Its application remains in the non-safety domain, which can be regarded as a sexual context. In an operable embodiment, a memory management unit is provided. When one of the data items in the memory is to be accessed, it should receive a special 0 to set the sink, and the device is in the system memory setting section. In the security mode, a security control can perform a certain operation. A memory access request issued by the processor 9 200417216 performs one or most of the predetermined access control functions to control the S memory. Memory access request. As an example, such predetermined access control functions may involve the translation of a virtual address to a physical address. Check the access permissions to ensure that the processor operating in the existing operating mode is allowed to access the required data items. Analysis of regional attributes, such as determining whether data items are cacheable, bufferable, #, etc., as those who are familiar with this art know.

In particular, according to this embodiment, the special partition detection logic is managed by the security operating system. Because the special partition detection logic is managed by a security operating system, the special partition detection logic is not changed by non-security applications, so unauthorized access to security data is prevented. & Special partition detection logic will access information about the partition between secure and non-secure memory. I will understand that in the embodiment, the segmentation can be hardwired: a physical message in which the physical segmentation between the secure memory and the non-secure memory cannot be changed. 'When the processor is operating in a predetermined security mode, the processor can set the division between secure memory and non-secure memory.

The special partition detection logic is managed by the processor when, and in such embodiments, when operating in a predetermined security mode. For this reason, if a processor installed on the processor can execute messages in the security domain. Therefore, even if the application attempts to access the security data from a non-secure imaginary application located in the processor in the security memory, the application does not 'and therefore it cannot change the partitioned data to output a memory access request, Attempt to store 'The special partition detection logic will detect that an application executing in the formula attempts to access a security 10 200417216 memory location' with those who are familiar with this construct, and can specify the actual operation during a memory access. The security address, and the memory system, implement better access control in this type of operation if the operation is performed in the mode of “the memory access request refers to, especially,” if the operation is performed by the memory. The address-to-physical address cut detection logic executed by the management unit. In one embodiment, the fetch request can be operated by using virtual partition detection logic. The physical unit performs the necessary control function, but the controller operates in the physical address detection logic of a non-memory management unit to the physical location. When the processor requests to designate an integrated management unit, the access control Function one security mode, all operation modes, the memory management unit is in a non-secure mode, and any of its cut detection logics, when it accesses L will prevent that access from happening. Stomach artisans will understand that depending on the framework of the data processing system, a virtual address can be specified, or in some embodiments a rich address. However, in the preferred embodiment, when the processor is also in the mode, the memory access request specifies a virtual bit management unit controlled by a non-secure operating system. The memory function includes the virtual management unit. Special split access check. In the preferred embodiment, the memory access requests the system to control the above-mentioned predetermined conversion of the memory, at least, the address of the processor, and at and as long as this is handled, regardless of the address translation of the operation, the special sub-security One of the transformations performed in the mode, such as the security in order to prevent the memory from being tied to a secure virtual address, which is also provided by one of the memory containing the virtual non-use because the memory bin is provided The special mode operation uses the memory tube. It needs to be saved only when it is used in the memory 11 200417216. There will be no restrictions. However, I will understand that in the alternative embodiment, surely Some degree of segmentation check can be provided for a certain mode of operation. In the optional embodiment of the present invention, there is at least a security mode of operation, in which the memory access request is directly specified by the physical address, and therefore, in a specific security mode, no execution is required. Any ^ translation to the physical address, but the party directly specifies the physical address: The method of the pseudo-address is ineffective; tongue, because there is no need to perform mapping between the virtual address and the physical address: More secure. Therefore, in a step-by-step preferred embodiment +, the security mode of directly specifying the physical address of the memory access request is < the most secure in ㈣㈣. In the preferred embodiment, this mode is called One of the operational monitoring modes, and responsible for managing the conversion of data processing equipment in non-female holistic and secure domains. In such a preferred embodiment, the data processing device further includes a memory protection unit, which provides the special partition detection logic. The memory protection unit management is managed by a security operating system, and when the processor is operated in A special security mode, the memory access requests a physical address of a memory location, the memory management unit is not used, and the thin body thin unit operation is performed to perform at least memory access permission processing, To determine whether the memory location specified by the physical address is accessible in the special security mode. Therefore, when the processor is operating in a special security mode ', the access is only managed by the memory protection unit managed by the secure operating system. In a preferred embodiment, the memory includes at least one table containing a 12200417216 record containing a relevant descriptor for each of the memory regions of the narrative real-world device, Such as each ^ # This memory management unit contains an internal storage element for storing the & ^ & descriptive symbols and the access control data used by the memory management unit ^ 4, ^ y 5, thinking that the memory needs to perform the pre-access control function when the memory is swallowed. When the _ χ.Λ. Mi: _b Dongli device is operated in the V-non-female holistic mode, the special partition The internal storage unit of the detection logic stores the access to prevent wandering. The access control of sexual memory will be understood by those skilled in the art. Such a form of 描, θ Shi Tian Mi 4 can be in the form of a ball, but alas, in the preferred embodiment, the table is a pagination table. In a corresponding descriptor describing the stored% information of the page related to the memory, I in each of the pages of the memory is defined ... Therefore, for example, the descriptor can define a virtual bit for the page ^ ^ | knife and a corresponding body address part, access permission information (for example, whether the page is in supervising mode, user mode, etc. Accessible), and mysterious), and area attributes such as whether the data contained in the page is cacheable, bufferable, and so on. In these embodiments, the memory stores a known virtual address so that the interpolated characters in the table contain at least one virtual address portion corresponding to one of the memory regions.杳 强 # 〃 Corresponds to the physical address part. The special partition detection logic is operable. When the ulcer occurs, the processor operates in the at least one non-secure mode to prevent the internal storage. At a touch, Meow Store stores the access control information to the physical address part. If the physical address generated by the virtual address is later in the security memory. I will explain below ^ In a properly implemented system, virtual logic is executed in a non-safety mode ^ One of the non-safety applications that deal with vanadium is generally unknown 13 200417216 security memory, and when dealing with When the device is in a non-common female full-sex mode, it is referred by the processor to convert the virtual address into a real ^ ear body address table. You should not refer to any but eight # points that work with security memory. Memory area. By the way, in the example of a non-security application designed as a hacker application that only accesses security information, I will understand that when in & non-security mode, it may also break The knowledge descriptor in the table referenced by the processor to generate mappings to parts of the security memory. In addition, and because the particular operating system is managed by a security operating system in the security domain Detection logic, which will not be damaged by this kind of activity, and because of this situation, the physical address part intercepted from a descriptor can be detected, and then generated for a specific virtual address. The physical address is in the Security & Redundant Body. Therefore, if the table duality in the memory has been fraudulently changed, the special segmentation detection < The internal storage unit that prevents the memory management from being stored will have changed the J 1 to fetch control information, and therefore will prevent this access from occurring. The internal storage in the memory management unit is lacking and> a morning may have Many forms. However, in the preferred embodiment, TT # is saved earlier as a translation reference buffer (TLB) which is operable to store the correspondence of the imitation r 邺 8, and the corresponding part of the pseudo-address. The physical address port P knife, which is obtained from the corresponding descriptors up to 161 quarts ^ table T. TLB, and: In the example, the memory management unit will contain the single-body table partition detection logic It will be operable to ensure that any intervening characters taken from memory 2 and 2 2 will not be stored in TLBt, if the processing is performed in a non-comprehensive manner, and the operation is based on the access control in the descriptor Information Lu Li, the physical address of will point to a location in security memory 14 200417216. In the operation of switching between security and non-security mode, the TLB will be cleared «ensure that the relevant is not available in non-security mode The descriptor in security mode and vice versa.

However, in an alternative embodiment, the internal storage unit includes miCrO-TLB and the main TLB, and the $ main TLB is used to store the descriptors worn by the memory management unit from at least one table in the memory, and in Before using the access control information, the memory management unit transmits the access control information from the main TLB to mi⑽_ to perform the predetermined access control function of the memory access request. In such embodiments, the #processor operates in the at least-non-security mode, and the special partition detection logic is operable to prevent any access control information from being transmitted from the main TLb to the micro-TLB, which allows access The security memory. Therefore, in such an embodiment, the descriptor can be copied to the main tlb, kernel, and * When the processor is operating in a non-security mode, the special segmentation detection logic is operable to supervise the Interface,

To ensure that no access control message is passed to mi__TLB, which allows access to secure memory. In order to provide a table, different tables are used according to the operation mode, so it allows different operation modes. Meaning: the same access control information. In particular, in the preferred embodiment, the ^ table includes a non-security table #, which is used when the processor is operating in the to ^ security mode and contains descriptors generated by the non-security operating system. The descriptors in the non-security table are related to at least part of the security memory that-partly interacts with-memory area 2 15 200417216 = Π in non-security mode 4, the special segmentation detection logic: sub-storage It is expected that the virtual address after w will be equal to the physical address generated by the women's full health body. In addition, in such a preferred embodiment, when the virtual-to-physical address translation occurs in at least-security mode, the at least-table is more contained in the security memory-the security table, which contains the The descriptor generated by the operating system. The primary TLB has a flag that is associated with each descriptor stored in the primary TLB to confirm whether the descriptor comes from the non-security form or the security form. When the stomach is operating between the security domain and the non-security domain_, by: working with a flag in the main TLB 'to indicate whether a corresponding descriptor comes from the non-security table or the security table &, There is no need to clear the main puppet and vice versa. When the access control information is passed from the descriptors of the main TLB to mi⑽_TLB, only those descriptors given appropriately in the existing domains operated by the processor are considered. Therefore, if you operate in any of the non-security modes, and therefore in non-security domains, then only the relevant flags in the main m are those descriptors from the non-security form are considered Candidate descriptors get access control information from them to pass to the micro-TLB ° In this preferred embodiment, whenever the operation of the processor is switched between a secure surname description and a non-secure mode In security mode, access control information can only be converted from the main TLB— ~ brackets to micro-TLB ... The relevant flags are from the security table, 16 200417216, and In the security mode, the access control information can only be converted from the primary-descriptor to the micro-TLB, where the relevant flag comes from the non-security table. The micro-TLB is usually much smaller than the primary and therefore whenever the processor is moving in a secure domain and insecurely, 'clearing the micro-TLB will not severely impact performance. Since the predetermined access control function performed by the body management unit is performed only by the access control information in the micro-TLB. For the operation of the above-mentioned mechanism to ensure any special mode of the device, the control information contained in the micro-TLB will only be derived from the description obtained from the appropriate memory table, that is, when the processor is operating in a non-security mode, Non-Angle, or when the processor is operating in a security mode. In an embodiment, when all security modes of operation specify the physical address directly in the memory access request, we will understand that such flags are not in the main TLB, and the main TLB stores only non-specifiers. I will understand that memory can take many forms and can be used in many places in data processing equipment. For example, the memory may include one or more of the components, for example, random access memory (RAM), a hard drive, a back-to-back memory (tcm), a number of caches, a peripheral device The multiple registrations provided and the memory enclosures allow the various components of the memory to be individually addressed. Therefore, in the embodiment, as described above, at least a part of the memory can be connected to a bus, the other part of the memory can be marked as a TLB in a different TLB, and the memory domains are aligned by the memory leaves. For the processing of contained narratives, holistic tables, holistic tables, they will need holistic descriptions, which are located in multiple, read-only one or more address ranges, and some links to a single bus 17 200417216. For example, in one embodiment, the processor is connected to a system bus, and a portion of the memory includes one immediate memory (TCM) connected to the system bus. Those skilled in the art will understand that such TCMs are commonly used It is used to store data that is usually used by the processor, because access to the TCM via the system bus is much faster than access to external memory, such as the memory on the device bus. Generally, the physical address of the TCM can be set in a control register of a data processing device. However, it may cause some security issues, as described in the following example. When the processor is operating in a non-secure mode, the non-secure operating system allows design control login to define the physical address space of the overlapping portion of security memory as TCM memory. When the processor later operates in the security domain, the security operating system can enable the security data to be stored in the security memory section, where the security data is usually stored in the TCM instead of the external memory, because the TCM usually Has a higher priority. However, if the non-secure operating system changes the physical address range setting of the TCM again later, so that the previous secure memory part is now mapped to the non-secure entity area of the memory, we will understand that the non-secure operating system can Access to security data, as special partition detection logic will treat the area as non-secure and will not declare a suspension. Therefore, in short, if the TCM is set to behave like a normal local ram instead of SmartCache, if the TCM base can be moved to a non-secure entity address, then the non-secure operating system will also It is possible to read security situation data. , 18 200417216 For the full operation of the omnidirectional system of the comprehensive operation mode, ^ a failure to respond to the implementation of the query of information, can be registered by the domain 'access' management settings operation a in order to avoid the above situation' In underestimating every ^ ^ Λ, the data processing device of the preferred embodiment provides a control flag set by the processor when it is operating in a security mode, indicating whether the compact memory is only in the security mode. It can be controlled by the device during execution], or can be controlled by the processor when executed in at least one non-safe mode. The control flag is set by the security operation system 'and actually defines whether the TCM is controlled by the security authority mode or the non-security mode. Therefore, the settings that can be defined are ... CM only when in the permission security mode. In such embodiments " any non-secure access intent of the CM control login will result in an exception to the entry definition instruction. The -selective setting + 'is controlled by the processor when operating in a non-secure Du mode. In such embodiments, the TCM can only be used by non-secure applications. No safety material can be loaded or stored from TCM. Therefore, when performing a secure access, do not perform a fetch to know if the address matches the TCM address range. In a preferred example, CM makes it possible to use only non-safety operating systems. The advantage is to change the non-safety operating system, because the more non-safety operating systems use the TCM in a normal mode. One of the second aspects of the invention is that the present invention provides a method for controlling hidden body access in a data processing device with _security 2: security network domain. In the security network domain, data processing f Month & security information taken from the non-secure web clerk + receiver package Γ, the data is sent: ―device bus,-device is connected to the device bus and memory access request related to it Either the secure domain or 19 200417216 the non-secure domain, and a memory connected to the device bus and operable to store data the information required by the device, the memory containing the information used to store the security data Security memory and non-security memory for storing non-security data, the method includes the following steps: (i) when a data item needs to be accessed in the memory, a memory storage is issued from the device; Fetch request to Configure the bus; and (ii) as long as the memory access request issued by the device is related to the non-secure domain, use the segment detection logic connected to the device bus to detect whether the memory access request is an attempt to access the memory Secure memory; and (iii) prevent access specified by the memory access request based on such detection. From another aspect of the present invention, the present invention provides a data processing device including: a device bus, a device connected to the device bus, and in multiple modes or in a secure or non-secure domain Operation, including at least one non-security mode in a non-security domain and at least one security mode in a security domain; a memory connected to the device bus and operable to store data required by the device, the memory The device includes a security memory for storing security data and a non-security memory for storing non-security data. When a data item needs to be accessed in the memory, the device is operable to issue a memory storage. Fetching requests to the device bus; and split detection logic connected to the device bus and when operating in the at least one non-security mode, as long as the device issues a memory access request, it is detected whether the memory access request is an attempt to save Fetch the security memory; and prevent access specified by the memory access request based on such detection. From another aspect of the present invention, the present invention provides a method for controlling access to a memory in a data processing 20 200417216 device. The data processing device includes a device bus and a device connected to the device bus. Side by side operation in multiple modes or in a secure or non-secure domain, including at least one non-secure mode in a non-secure domain and at least one security mode in a secure domain, a memory It is connected to the device bus and can operate and store the data needed by the device. The memory includes the security memory for storing the security data and the non-security memory for storing the non-security data. The method includes the following Steps: (i) when a data item needs to be accessed in the memory, a memory access request is sent from the device to the device bus; and (π) when operating in the at least one non-security mode, as long as the device Issue a hidden memory access request and use the segment detection logic connected to the device bus to detect if the memory access request is an attempt to access the secure memory; (ILL) based on such detection, to prevent the memory access request of the designated access. [Embodiment] The first figure is a block diagram describing a data processing device according to a preferred embodiment of the present invention. The data processing device functions in conjunction with a processor core 10, which provides an arithmetic logic unit (ALU) 16 arranged to execute a series of instructions. The information required by the ALU 16 is stored in a registration block 14. Provide various monitoring functions for core 10 to intercept diagnostic data indicating processor core activity. As an example, an embedded trace module (ETM) 22 is provided. According to certain controls within the ETM 22 that define the activities to be traced, the content of 26 21 200417216 is generated, and some of the processor cores are generated. Real-time tracking of events. These tracking signals are usually output to a tracking buffer where they can be analyzed later. A vectored interrupt controller 21 is provided to manage most of the interrupt services that can be provided by various peripherals (which will not be repeated here). In particular, as shown in the first figure, another monitoring functionality that can be provided within the core is an error detection function. An error-removing application outside the data access device can be linked by an or Most of the connection test access group (JTAG, Joint Test Acces Group) controllers 12 of the scan chain 12 communicate with the core 10. The status information about each part of the processor core 10 can be output to external debugging applications through these scan chains 12 and JTAG controller 18. An online simulator (ICE, In Circuit Emnlato 〇20 is used to store the confirmation of when to start and stop the debugging function within the login 24, and therefore, for example, is used to store breakpoints, monitor Watchpoints, etc. The core 10 is connected to a system bus 40 through the memory management logic 30. The memory management logic 30 is arranged to manage the memory access requests issued by the core. , Used to access the memory location of the data processing device. It can be directly connected to the memory unit 40 of the system bus, for example, the cache 38 shown in the first figure and the immediate memory (TCM, TighUy Coupled Memory) 36 deploys some parts of memory. Additional devices can also be provided for accessing such memory, such as a direct memory access (DMA) controller 32. Generally, various control entries 34 will be provided to define Certain control parameters of various components of the chip. Here, these control registrations are also referred to as auxiliary processor 15 (CP15) registration. 22 200417216 An external bus interface 42 can be used to connect the chip containing the core 10 with the An external bus 70 (e.g., based on the Advanced Microcontroller Bus

Architecture, AMBA) "specification to operate a bus) connection and can connect various devices to external buses 7 0 ^ These devices can include, for example, the main control device of the digital # processor (DSP), and various controlled devices For example, the boot-only read-only memory 44, the screen driver 46, the external memory 56, the input / roll-out (I / O) interface 60, or the key storage unit 64. In the co-processing facility shown in the first figure, there are especially a storage list and a memory part of the 66. Regarding the provision of judgments, for example, the various control devices provided by the specific department can be regarded as the data processing equipment All memories have the same effect. For example, the boot-only read-only memory 44 will form part of the data-addressable δ-memory body, as well as the external memory 胄 56. For example, devices such as a screen driver ϋ 46, a turn-on output interface 60, and a key 64 each include, for example, a login or a buffer, and independently addressable internal storage elements, which are part of the entire data processing device. As will be discussed in more detail later, a portion of memory-for example, external memory 56 will be used to store a paging table 58 that defines one or more of the memory access controls. … Artists will understand that, usually for the external bus 70 optimizer-M and decoder logic 54, the arbiter is used to judge the majority of memory access requests issued by the master device. Core 10, DMA 32, P 50, DMA 52, etc., and the encoder determines any memory access request that should be processed by the controlled device on the external sink. In one embodiment, an external bus may be provided to the chip containing the core 23, 200417216. In other embodiments, an on-chip will be integrated to provide the core 10 to the external bus. It is more conducive to maintaining the security of the security data on the external bus than when the external bus is off-chip; when the external bus is a non-integrated chip, data encryption technology can be used to improve the security data Security.

Fig. 2 illustrates various programs executed on a processing system having a secure domain and a non-secure domain. Provide a monitoring program 7 2 for the system to execute at least in a monitoring mode. In this exemplary embodiment, the security status flag is a writable access only within the monitoring mode and can be written by the monitoring program 72. The monitor 72 is responsible for managing all transitions in either direction between the secure domain and the non-secure domain. From an out-of-core point of view, the monitoring mode is always safe and the monitoring program is tied to security memory.

Within a non-secure domain, a non-secure operating system 74 is provided and most non-secure applications 7 6, 7 8 interacting with the non-secure operating system 74. In the security domain, a security kernel 80 is provided. The security kernel program 80 can be regarded as forming a security operating system. Such a security core program 80 will usually be designed to provide only those functions necessary for processing activities, so that the security core 80 is as small and simple as possible, because it is easy to ensure security. Shown are most security applications 82, 84 that are implemented in conjunction with the security core 80. Figure 3 illustrates a matrix of processing patterns associated with different security domains. In this particular example, the processing mode is symmetrical with respect to the security domain, and therefore mode 1 and mode 2 exist in both secure and non-secure forms 24 200417216. The monitoring mode has the highest level of security access in the system, and in the exemplary embodiment is the only mode authorized to switch in either direction between a non-secure domain and a secure domain. Therefore, all domain conversions are within the monitoring mode, and are performed by the monitoring mode and the execution of the monitoring program 72.

FIG. 4 illustrates another set of non-secure network domain processing modes 1, 2, 3, and 4, and secure network domain processing modes a, b, and c. With respect to the symmetrical arrangement of Figure 3, Figure 4 illustrates that some processing modes may not appear in one or other secure domains. The monitoring mode 8 6 is shown again, which covers non-secure and secure domains. The monitoring mode 86 can be regarded as a security processing mode, because the security status flag can be changed in this mode and the monitoring program 72 in the monitoring mode has the ability to set the security status flag by itself. Overall, It effectively provides the ultimate level of security within the system.

Figure 5 illustrates another arrangement of processing modes in terms of a security domain. In this arrangement, both secure and non-secure domains and a further domain are identified. This further domain may be a method that does not require interaction with the above-mentioned secure or non-secure domains and is independent of other parts of a system, so it is a question of who it is It doesn't matter. I will understand a processing system, such as typically providing a microprocessor with a login block 88, in which operand values can be stored. Figure 6 illustrates a module view of an exemplary login block for a programmer, which has Log in for exclusive access to certain login numbers in certain 25 200417216 processing modes. In particular, the example in Figure 6 is an extension of the knowledge of ARM's login area from Bing + Ni (for example, the ARM 7 processing test at ARM Limited (Cambridge, UK) was performed by the donor of the last day ° τ). The recording mode of the processing mode and the amount provided by an exclusive control mode need not be stored, but can be provided at a selected processing speed to indicate another real-time login area. In this method, when access is available. The natural mechanism records it. Before the situation of the possible full registration area of the above domains, you need to be able to use it, as shown in the sixth program state Rl4 'but as shown in Figure 6', in order to restore the other mode to one Type registration, used for class conversion related, two completely different types are used for security materials stored in the domain for conversion permission, and the self-safety of the desired domain and security information is to avoid content. If the re-form of the isodomain scenario is responsible for logging off from a provision with each stacking index, the monitoring mode also has a monitoring mode when the monitoring mode has an interrupt mode. The mode transition time is shown in Figure 7. Domain operation registration data becomes fast and effective and accessible registration to security has another special problem, which simplifies the expansion of the hardware system and a dedicated storage link registration application. The external exclusive registration is then further reduced from the embodiment of this embodiment, which is divided into blocks 8 to 8 which divides the security information into the non-security network and if allowed to the non-security arrangement prevents the sexuality. An important block is clearing the security map within the login. Monitoring profile, an exclusive In this case, quickly enter the above quick login status. It seems that rapid interruption speeds up a secure system to wait for and separate login domains and non-secure networks, which can prevent 'through the use of global domains. Domain converted to

26 200417216 Another domain. Restoring content, saving previous content, and clearing registrations are performed at least in part by a monitoring program in monitoring mode. The system thus behaves like a virtualization module. Embodiments of this type are discussed further below. When discussing security features in this article, reference should be made to, for example, the programmer module for ARM 7. Processor Modes

Relative to most modes in the security context, the same mode supports both secure and non-secure domains (see Figure 8). The human monitoring mode knows the current state of the core, whether it is secure or non-secure ( For example, when reading from a stored S bit, it is an auxiliary processor setting register). In Figure 8, whenever an SMI (Software Monitor Interrupt Instruction) occurs, the core enters the monitoring mode 'to properly transition from one situation to another. Refer to Figure 9 where SMIs are allowed in user mode: 1. Schedule thread 1 to start.

2. Thread 1 needs to execute a security function = = > SMI security call, and the core enters monitoring mode. The existing PC is controlled under the hardware, while the CPSR (current processor status register) is stored in R14 — mon ', and the SPSR_mon (saved processor status register for the monitor mode) and IRQ / FIQ interrupts are disabled. 3. The monitoring program performs the following tasks: Lu sets the S bit (security status flag). • Store at least R14-mon and SPSR-mon in the stack. When a security application is executed on 27 200417216, if the exception occurs, the non-security content will not be lost. ♦ Check if there is a new thread to launch: Security thread 1. A mechanism (in some example embodiments, by a thread ID table) indicates that thread 1 is enabled in the security context. • IRQ / FIQ interrupt is enabled again. A security application can now start in a security user mode. 4. Execute the security thread 1 to completion, and then (SMI) developed the "self-safety return" function of the monitor program mode (when the core enters the monitor mode, the IRQ / FIQ interrupt is invalidated). 5. The "return from secure" function performs the following tasks: * Instructs the completion of secure thread 1 (for example, in the case of a thread ID table, remove thread 1 from the table). • Restore and clear required logins from stacked non-secure content so that once you return to a non-secure domain, you cannot read any security data. * Then, return to the non-secure domain with a SUBS instruction (which restores the program count to the correct point and update the status flags), (from the restored R14-mon) to restore Pc and (from SPSR-m. n) Restore CPSR. Therefore, the return point in the non-security domain is after the SMI instruction previously executed by thread 1. 6. Execute thread 1 to end 'and return to the schedule. Some of the above-mentioned functionality may differ between the monitoring program 28 200417216 and the secure operating system, respectively, according to a particular embodiment. In other embodiments, SMIs may be required to be disallowed from appearing in the user mode. Entry for security stew

When a hard reset occurs, the MMU is disabled and the ARM core (processor) develops a safety oversight mode with S bits. As desired, once the safety boot is terminated, the sMI to the monitoring mode can be executed and the monitoring can be switched to the non-sexual brother's 0S (non-safety svc mode). If you want to use the previous OS, it can just start in the security supervision mode and ignore the security state. iMI directives (any non-security mode in the domain that translates software interrupt instructions calls SMIs restricted to permission mode), but the target entry point is always fixed and an appropriate operator control must be developed when the supervisor decides to implement it) . A mode) can be called from a non-secure network (as described above, it may wish to set I 'within the eye control mode determined by the relevant vector. It is fully functional by the SMI manager (for example, by the instruction borrow

From a non-secure security context to passing the parameters of the 6 type registration area to the security context, the intended registration can be performed by a total of 0 when an SMI occurs in a non-security context. The ARM core may be in hardware 29 200417216 performs the following actions: • Develops SMI vectors (allowed in secure memory access because you are currently in monitor mode) to monitor mode • Stores PC to R14_mon and CPSR to SPSR—mon • In monitor mode Start execution of Security Exception Manager (if multiple threads, restore / save content)

Call for the development of a security user mode (or another mode, such as the SVC mode) to implement appropriate functions. • When the core is in the monitoring mode, IRQ and FIQ fail (increased waiting time). There are two types of exit security exit Possibility of sexual situations: • The security function is completed and we return to the non-security mode where the function was previously called. • A security function was interrupted by a non-security exception (for example, IRQ / FIQ / SMI). _ The normal end of the security function The security function terminates normally and we need to restore the instructions immediately after the SMI and resume the application in a non-safety situation. In the security user mode, an "nSMI" instruction is executed to return a mode with appropriate parameters corresponding to the "self-safety context return" routine. At this stage, the logins are cleared to avoid leakage of data between non-security and security contexts. 30 200417216 The general purpose registrations of non-security content are then restored and their values obtained in non-security contexts Update non-security block login. R14_mon and SPSR — mon Therefore after SMI, execute the "MOVS PC, R14" instruction to obtain the appropriate value to resume the non-security application.

Exit of the security function due to a non-security exception In this case, the security function is not completed and the security content must be stored before entering the non-security exception manager, and the interrupts need to be handled anyway. Security Interruption There are several possibilities for security interruption. Two possible solutions are proposed based on the following two points: • What type of interruption is it (security or non-security)

• When the IRQ occurs, what mode the core is in (in a security or non-security context) Solution 1 In this solution, security and non-security interrupts need to be supported in two different ways. When in an unsafe situation, if an IRQ occurs, when in an ARM core (for example, ARM 7), the core enters IRQ mode to handle the interrupt. 31 200417216 As soon as an SIRQ occurs, the core enters monitoring mode to store non-secure content, and then enters a security IRQ manager to handle the security interrupt. When in a security context, if m-SIRQ occurs, the kernel enters the security IRQ manager. The core does not exit the security context. # An IRQ occurs, the core enters the monitoring mode for storing security content ’and then enters a non-secure IRQ manager to handle the non-security interrupt. In addition, when the interruption that does not belong to the current situation occurs, the core directly enters the monitoring mode, otherwise it stays in the current situation (please refer to Figure 10). Full-sex situation Please refer to Figure 11 Α: 1 · Schedule thread 1 to start. _ 2 Thread 1 needs to perform a security function => SMI security call 'The core enters the monitoring mode. PC and CPSR are currently stored in R14_mo and SPSR_mon, making IRQ / FIQ invalid. 3. The monitoring manager (program) performs the following tasks: • Sets the S bit. • Store at least R14-mon and SPSR-mon in the stack (you can also enter other logins), so that when the security application is executed, ’32 200417216 will not lose the non-security content. _Check if there is a new thread to launch: Security thread 1. A mechanism (via the thread ID table) indicates that thread 1 is enabled in the security context. • The security application can now be started in a secure user mode. IRQ / FIQ is then enabled again.

4. When security thread 1 executes, an IRQ occurs. The core directly jumps into the monitoring mode (exclusive vector) and SP14_mon in the monitoring mode, R14-mon and CPSR store the existing Pc (then invalidate IRq / FIq). 5 · Security content must be stored to restore previous non-security content. The monitoring manager must enter the IRQ mode in advance, update R14_irq / SPSR_irq with the appropriate value, and then transfer control to the non-secure irq manager. 6. The IRQ manager provides IRQ services and then passes control back to the thread in a non-security context1. By restoring SPRS '' rq and R14_irq to CPSR and PC, thread 1 has now pointed to the interrupted SMI instruction.

7. The SMI instruction is executed again (same instruction as 2). 8. The monitoring manager detects the previously interrupted thread and restores the content of this thread 1. Then it develops security thread 1 in the user mode to point to the interrupted instruction. 9 • Security thread 1 executes until its completion, and then develops the “self-return to security” function in monitoring mode (exclusive to SMI). 1 0 · The "Self-Return" function performs the following tasks:

• Refers to the unsafe execution of thread 1 (for example, in the case of a thread ID 33 200417216 table, thread 1 is removed from the table). φ Restores and clears the required logins from the stack of non-security content, so that once the non-security context is returned, no security data can be read. φ Return to the non-safety situation with a SUBS instruction, (from the restored R14 — mON) to restore the PC and (from SPSR_mon) to restore the CPSR. Then the return point in the non-safety context should be the instruction following the previously executed SMI in thread 1.

11 · Thread 1 executes to the end, and then returns control to the schedule.

Refer to Figure 11B for the SIRQ of “Non-safety training 4”: 1 Schedule the execution of thread 1. 2. When security thread 1 executes, a SIRQ occurs. The core directly jumps to the monitoring mode (exclusive vector) and in the monitoring mode, R14_mon of SPSR_mon and CPSR store the existing Pc ’and then invalidate irq / fiq. 3 Non-secure content must be stored before the core enters the security IRQ manager. 4. The IRQ manager provides the sirq service, and then returns control to the monitoring mode manager with an SMI with appropriate parameters. 5. The monitoring manager restores non-security content, so a suBS instruction returns the core to the non-security context and resumes the interrupted thread1. 6 Execute thread 1 until the end, and then return control to the schedule. The mechanism of Figure 11 A has the advantage of providing a decisive approach to entering a security context. However, there are some issues related to interrupt priority: Example 34 200417216 For example, when a SIRQ is executed in a secure interrupt manager, a non-secure IRQ with a higher priority may occur. Once the non-safety IRQ is complete, the S IRQ event needs to be generated again before the core can resume the safety interrupt. Solution two In this mechanism (please refer to Figure 12), two different or only one pin can support security and non-security interrupts. Two pins are used to reduce interrupt wait time. When in an unsafe situation, if an IRQ occurs, the core enters IRQ mode to handle the interrupt, as in an ARM7 system. • An SIRQ occurs and the core enters the IRQ manager. One of the SMI instructions will cause the core to develop a monitoring mode to store non-secure content, and then develop a secure IRQ manager to manage the security interrupt. When in a security context, if a SIRQ occurs, the core enters the security IRQ manager. The core does not exit the security context. • When an IRQ occurs, the core enters the security IRQ manager. One of the SMI instructions will cause the core to develop a monitoring mode (where the security content is stored), and then enter a non-security IRQ manager to handle the non-security interrupt. 35 200417216 The IRQ occurred in the security situation, please refer to Figure 13A: 1 Schedule the execution of thread 1. 2 · Thread 1 needs to perform a security function ==> μ I security call · The core enters the monitoring mode. Currently, the PC and CPSR are stored in R1 4a and SPSR_mon to disable IRQ / FIQ. 3 · The monitoring manager performs the following tasks: • Sets the S bit. • Store at least R1 4-mon and SPSR_mon (and other logins) in a stack, so if an abnormality occurs during the execution of the security application, the non-security content will not be lost. • Check if there is a new thread to launch: Security thread 1. A mechanism (via the thread ID table) indicates that thread 1 is enabled in the security context. • The security application can now start in a security consumer mode. IRQ / FIQ is enabled again. 4 · When security thread 1 executes, an IR Q occurs. The core jumps directly to the security IRQ mode. 5. The core stores the existing PC in R14-irq and SPSR —irq in CPSR. The IRQ manager detects it as a non-security interrupt and executes an SMI with the appropriate parameters to enter the monitor mode. 6 · We must rely on security content to restore the previous non-security inner valley. The monitoring manager knows where the SMI comes from by reading the CPSR. It can also enter the IRQ mode to read R14-IRQ / SPSR-irq in order to properly store security content. It can also store non-secure content that must be restored once the IRQ instance is completed in these same registries. 7. The IRQ processor provides the irq service and then returns control to thread 1 in this non-security context. By restoring SPRS_irq and R14 "rq to CPSR and PC ', the current core points to the smi instruction that has been interrupted. 8. Execute the SMI instruction again (such as the same instruction in 2).

9. The monitoring manager detects the previously interrupted thread and restores the state of the thread 1. It then developed security thread 1 in user mode, pointing to the interrupted instruction. 10. Security Thread 1 executes to completion, and then develops "Self-Return"; a function in the monitoring mode (specialized in SMI). 11. The "Self-Return to Security" function performs the following tasks: #Indicates that security thread 1 is complete (that is, in the case of a thread ID table, thread 1 is removed from the table).

• Restore and clear required logins from stacked non-security content, so once we return to a non-security context, we cannot read any security information. Call for the development of a SUBS instruction to return to the non-safety situation, restore the PC (from SPSR-mon) and restore the CPSR (from SPSR-mon). The return point in the non-safety situation should be previously executed in the thread. Instructions after SMI. 1 2 · Thread 1 executes until the end, and then returns to the schedule to take over. 37 200417216 SIRO with bee situation Please refer to Figure 13B: 1 Schedule the thread 1 to start. 2. When security thread 1 executes, -SIRq occurs. 3. The core directly jumps to irq mode, and stores the current pc in R14 — irq and stores the CPSR in SPSR — irq. IRq is then disabled. The IRq manager detects that it is a SIRQ and executes an smi instruction with the appropriate parameters.

4 · Once in monitoring mode, non-security content must be stored, and then the kernel enters the security IRQ manager. 5. Security IRQ manager provides SIRQ service example service, and then returns control to monitoring with SMI with appropriate parameters. 6. The monitoring manager restores the non-security content, so a suBg # _ returns the core to the non-safety situation and resumes the interrupted IRq tube 9 7 '^ At this time, the IRQ manager can return by executing a SUBS Not ~. Women's full thread Sex 8. Thread 1 executes to the end, then returns control to the schedule

Referring to the mechanism in Figure 12, SIRQ events do not need to be generated in many interrupt situations, but security interrupts are not guaranteed to be executed. Exception vectors They are safe in the context and retain at least two entity vector tables (although from a virtual address, see (Like a single vector table)-one for the non-security of non-secure memory, and one for the security context of secure memory (not self-access 38 200417216 sexual context access). Used for security body memory mapping, there are: Second, different virtual-to-physical scenarios in the real-world scenario. The same virtual memory address is accessed in different directions stored in the memory. Jli control The model always uses pure § self-memory mapping to provide a third vector table in the management discipline, obstacles & If the interrupts follow the mechanism of Figure 12, for each table there will be the following vectors as shown in Figure 14. This vector set is duplicated in safety and non-security memory. Exception vector offset value-see Reset Type 0x00 (s-byte) Undef 0x04 Chinese / Undef mode SWI 0x08 Pre / fetch mode OxOC Abort mode (Prefetch Abort) Data abort 0x10 Abort mode (Data Abort) IRQ / SIRQ 0x18 IRQ mode FIQ OxlX FIQ mode SMI 0x20 Undef mode / monitor mode

Reset entry exists only in the security vector table. When a Reset is executed in a non-safety context, the core hardware prompts it to enter the supervisor mode and set the S bit, so that the Reset vector can be accessed in the security memory. 0 39 200417216 Figure 15 Three anomalous vector tables for epistemic Penang, non-safety, and monitoring modes. h, +, w # Zhuang Xiang. ^ The fan anomaly vector table is designed with Li Ming to 1, in order to meet the requirements of security and non-safety, Η 、 non- * full-scale operating systems and semi-permanent. Both mother and anomaly can be listed in epi5 ''

* β "has a related registration to the base address of the J table, and the CP 1 5 is now hidden ^ stores a base address pointed to in the memory body. When an abnormality occurs, the hardware will refer to The base address of the vector table corresponding to the system's target state is registered to determine all:

Scale base address. Optionally, different virtual: physical memory mappings that should be used in different modes can be used to distinguish between two different vector tables stored in different physical memories. As shown in Fig. 16, an exception mask is provided in the -system (setting control) auxiliary processor (CP15) with the processor core. The exception capture mask registration provides flags related to the respective exception type. These flags indicate whether the hardware should proceed to the vector for anomalies related to its existing domain, or should facilitate a transition to monitoring mode (which is a security mode type) and then follow the table in the monitoring mode vector In vector. The error capture mask registration (error control registration) can be written only in the monitor mode. Read access can also be caught by exceptions in a non-secure mode

Dreamcatcher mask is prevented. It can be seen that the exception capture mask registration in Fig. 16 does not include a flag of a no-vector. When the system is not set to always be the same as that set in the security vector table, it is forced to jump to the security supervision mode. The weight a in the vector is to ensure a secure boot and backward compatibility. It can be seen that 'in Figure 15 for the sake of completeness, the reset vector has appeared in the vector table instead of the security vector table of the security supervision mode. Figure 16 also shows the different types of exceptions in the exception capture mask registration. 40 200417216 type flags can be designed, for example, by a monitoring program during security boot. Optionally, if some or some flags can be provided by the physical input signal in some implementations, for example, the security interrupt flag S IRQ can be hard-wired to always cause the monitor mode to be entered and the corresponding monitor mode to be implemented. Interrupt request vector when a security interrupt signal is received. Figure 16 shows that only the part of the exception capture registration is related to the non-security domain exception, and a similar part of the programmable bit will be provided to the security domain exception. I can understand from the above that in one level, the hardware controls the login flags based on these exception control, causing the existing domain exception manager or monitoring mode exception manager to provide an interrupt, which is only the first level of control applied . For example, an exception may also occur in the security mode, and the security mode exception vector is based on the security mode exception manager, but at this time, the security mode exception manager is determined by the nature of the exception. It would be better for the security exception manager to handle this, and therefore an SMI instruction is used to switch to the non-security mode and request the non-security exception manager. It is also possible to have a transition in which the hardware can initiate the non-security exception manager, but then it executes instructions that direct the program to the security exception manager or the monitoring mode exception manager. Figure 17 is a flowchart showing the operation of the system to support another possible type of conversion request related to a new type of exception. In step 98, the hardware detects an instruction to change to the monitoring mode when it is instructed in an existing program status register (CPSR). When such an intent is detected, a new type of exception is triggered, which is referred to herein as a CPSR violation exception. At step 100, the CPSR violation exception is generated, causing a reference to an appropriate exception vector within the monitoring mode 41 200417216, and the monitor program is executed at step 02 to handle the CPSR violation exception. I will understand that in addition to supporting the SMI instructions previously discussed, it may provide a mechanism for initiating a transition between a secure domain and a non-secure domain as discussed in relation to FIG. 17. An exception mechanism can be provided in response to an unauthorized intent to switch modes, and all authorized intents should be performed through an SMI instruction. Alternatively, such a mechanism may be a legitimate method of transitioning between a secure domain and a non-secure domain, or it may be provided to give backward compatibility, which has (for example, an attempt to clear a processing status login) Eliminate the code, even if it ’s not really an unauthorized conversion intent between a secure domain and a non-secure domain. As mentioned above, interrupts are disabled. The reason for this is to improve the security of the system. When an interrupt occurs, the state of the processor at that moment is stored in the interrupt exception registration. Therefore, when the interrupt function is completed, the processing of the interrupted function can be resumed at the interrupt point. #If this processing is allowed in the monitoring mode, it may reduce the security of the monitoring mode and may cause the security data to leak 2 paths. Therefore, interrupts are usually disabled in monitor mode. However, as a result of invalidating the interrupt during the monitoring mode, the interrupt interval is increased. 5 If the processor is executing functions in interrupt mode, interrupts are enabled. It can only be done on a continuous basis. Therefore, by interrupting the function of monitoring startup, the state can not be resolved. It is also possible that after the monitoring interruption, the function does not resume in the mode. Only the interruption waiting in the monitoring mode can be safely resumed. The problem. In this case, after an interruption in the monitoring mode, once the interruption is completed, the data related to the processing of the function is not stored and discarded and the processor is instructed to start processing its initial function from its beginning. . In the example above, when the processor simply returns to the point where it transitioned to monitor mode, it is a simple matter. It should be noted that restarting a function is only possible for some functions that can be restarted and still produce repeatable results. If the function changes the state of the processor and produces a different result when it is restarted, it is not a good idea to restart the function. Therefore, only those functions that can be safely restarted can be interrupted in the monitor mode, and for other functions, these interrupts are disabled. Fig. 18 illustrates a method for handling an interrupt occurring in a monitor mode according to an embodiment of the present invention. In a non-security mode, an SMI occurs during the processing of task A, and it switches the processor to the monitoring mode. The SMI instruction enables the core to enter the monitoring mode through a dedicated non-safe SMI vector. The current state of the PC is stored, the S bit is set and the interrupt is disabled. Generally, LR_mon and SPSR_mon are used to store the PC and CPSR in non-security mode. Then a function-function C is started in the monitoring mode. The first thing function C does is to enable the interrupts, and then function C is processed. If an interrupt occurs during the processing of function C, the interrupts are not invalidated to accept and execute the interrupt. However, the monitoring mode indicator indicates to the processor that after an interruption, the function is not resumed or restarted. Optionally, the processors can be individually instructed by control parameters. Therefore, after an interrupt, the interrupt exception vectors 43 200417216 are updated with the LR-mon and SPSR_mon values without storing the current state of the processor. As shown in Figure 18, after the interrupt task-task B is completed, the processor reads the address of the SMI instruction that has been copied to the interrupt registration, executes sMl, and starts processing function C again. The above processing only works when function C can be restarted, that is, if process C is restarted, repeatable processing steps will be generated. This does not mean that function C changes any state of the processor, for example, stacking indicators can affect future processing. Here, a function called repeatable is due to idempotence. One way to deal with the problem of a function is to rearrange the code that defines the function. In this method, the part of the code has idempotent. Once it is no longer possible to arrange a idempotent program code, the interrupt is invalidated . For example, if the code C involves writing to the heap, then it is possible to do so at least initially without updating the stack indicator. Once it is determined that the code can no longer be safely restarted, the function C code can instruct the processor Disable the interrupt, and then it can update the stacking index at the correct position. As shown in Figure 18, the interruption is disabled in some way by processing the function. Figure 19 illustrates a slightly different example. In this example, a further control parameter is set by some method of task C processing. The following part of the task C is not strictly idempotent, but can be completely restarted 'to ensure that an improved routine is executed first. This improved formula restores the state of the processor to what it was at the beginning of task C. At the end of the task, if it is not interrupted, when it has completed, it allows any c to safely restart and generate secure processing. Device status. In a sense that ca n’t be solved, the formula is indeed C. In the example of 2004 200417216, at the point where further control parameters are set, when some state of the processor is modified (for example, updating the stack index), The interruption can be lost for a short period of time. This allows the processor to be restored to a power state later. When an interruption occurs after further control parameters are set, there are two possible processing methods. Either an improved routine that can execute immediately (at F 1) and then process the interrupt, or an interrupt that can be processed immediately and then interrupted later, execute SMI, and then execute this progress before restarting task C (at F2). As shown, in the above two embodiments, the improved example is executed in the monitoring mode, and therefore the line in the non-security domain (which does not know the security domain or monitoring mode) is not affected . As shown in Figure 19, the first part of one of the codes C has idempotence and can be restarted after an interruption. A second part can be restarted, ensuring that a modified example is performed first. And it is indicated by setting a "further" system parameter, and the last part of the code cannot be restarted and therefore the interrupt is invalidated before the code is processed. Figure 20 illustrates an alternative example, in which case it is different. In other embodiments, interrupts are enabled during monitor mode. Functions then executed in the supervisor mode disable the interrupts once they can no longer be safely restarted. It is possible only when all interrupted functions in the monitoring mode can be restarted rather than resumed. There are ways to ensure that everything works in a certain mode, rather than resume on interruption. One method is to add a new state of the processor, in which the start address of the interrupted storage instruction sequence, instead of the effect, can be completely changed and controlled, and the control of the full execution of 45 200417216 will be executed. Address. In this case, the monitoring mode is always executed in this state. An alternative method is to interrupt the abnormal registration by preloading the start address of a function to the interrupt exception registration at the beginning of each function, and invalidating the subsequent writing of the processor state after the interrupt. In the embodiment shown in FIG. 20, if the function is required to be restarted safely, the restart of the function may be completed immediately after the interrupt function is completed, or after an improved routine. Although a method of handling interrupt latency has been described above with respect to a system with a secure, non-secure domain, and a monitoring mode, it can be understood that it can be applied to a function that should not be used for a specific reason Resume any system. Normally such functions can be used by disabling interrupts that increase interrupt latency. After an interrupt, the correct function is to restart and control the processor to restart them. For at least part of the functional processing, allow the interrupts to be enabled and help reduce interrupt wait time. For example, the general content conversion of an operating system. Accessing secure and non-secure memory The data processing device shown in the first figure has memory, which includes TCM 36, cache 38, ROM 44, memory for controlled devices, and external memory 56. As shown in Figure 37, for example, the memory is divided into secure and non-secure memory. I will understand that at the time of manufacture, there is usually no practical difference between the secure memory area and the non-secure memory area, but instead these areas are defined by a security operating system of the data processing equipment. When operating on this security domain. Therefore, any physical eight ^ ^ ^ knife of the memory device of 2004 4617216 can be allocated as secure memory, and any physical part can be detached as a non-secure memory. As shown in Figures 2 to 筮, the processing system has a secure domain and a non-secure domain. In the security domain, a security kernel ~ program 80 is provided and executed in a -6 female mode. A monitoring program 7 2 is provided, which covers security and safety, .periphery, and at least a part of which is implemented in a monitoring mode. : Shi Yu, ^. V * In the embodiment, the monitoring program part is executed in the monitoring-king mode. As shown in Figure 10, there are multiple female holistic models. The white bars in the basin and the eighth include the supervised mode SVC.

The monitoring program 72 is responsible for all changes in either direction between the women's holistic and non-safe domains. Refer to Figure 8 and Figure 9 in the chapter "Processor Transformation" for the fAA 丄 Afc work month b. The monitoring program is responsible for transmitting Μ _ π i Μ in a non-security mode, a mode conversion request s MI to initialize a conversion from top: non-textual & mode to the above security mode, and is responsible Please read a mode transition issued in the women ’s 1 ± mode to initialize the self-reporting of women ’s || filial piety to the above non-safety mode. As described in the section "Conversions Between Contexts", the name #lack In the interest-control panel type, the conversion occurs from one of the secure and non-secure domains—the conversion of at least some of them to the other. This involves storing the existing login status in one domain and writing the new status to the login in other domains (or restoring the previously stored status in the login. This article also discusses that when this is implemented, Sister Gan tL ★ As soon as J is turned on, access to some logins may be invalidated. The preferred embodiment is to disable all interrupts in the supervisory mode of low-cost grants.仃 The control of the dish covers security and non-security

The full network domain, so it is important to confirm that the monitoring program of Queen A 1 Feng of Rong Jin is only 47 200417216 = the function that the department wants to deploy. So it's more beneficial if the monitoring program is simpler. The security mode allows only the τ vanadium sequence in the security domain. In the implementation of the present invention, the authority full mode and monitoring mode allow access to the same secure and non-secure memory. By ensuring that the security mode of the permission "sees" the same security and non-security seals, "hidden", can only be performed in the monitoring mode: can be switched to a security mode that allows simplified monitoring programs. From now on, ", the processing in the queen spit mode is directly switched to the monitoring mode, and vice versa. The transition from a security mode of security to monitoring ... is allowed. 'In the monitoring mode, you can switch to non-secure two payers. The non-authority security mode must use SMI to enter the monitoring 2 reset. 'Λ system enters permission security mode. Moving between domains, and moving back and forth between & control mode and permission security mode can help save state. Conversion In other embodiments, the S flag is allowed to be accessed from the security permission mode and the "=" mode. If the security permission mode is allowed: the control of the process flow is taken, and the processor is switched to the monitoring mode, this class 2 The sexual permission mode already has the effective jealousy of converting the S flag (bit). This' provision that only dogs can change the s flag in the monitoring mode's extra 'heterogeneity factor' can be verified to be correct. Conversely, it can be set with other settings The flags are the same: the method is stored, but the other set flags can be changed by the security permission mode of the question. The present technology includes such an embodiment that the S flag is changed in one of the most security 2 formulas. Returning to the exemplary embodiment just discussed, the device has a level of authority that defines the mode—the processor core 10; that is, any set of functions that are allowed by chess 2 48 200417216. Therefore, the conventional mode is arranged to handle the global mode and Monitoring mode accesses security and non-security cores to allow security mode to access all hidden objects that monitoring mode allows access to, and to handle any operations that are performed in security mode. _In 44 4Α 7Τ ΚΑ style, and vice versa. The processor core 10 is better, and the controller is indescribable. * The allowed ones are as follows in an example of this device, memory is divided, and non-security Memory, while security and non-security: ,,, and security memory can only be accessed in the monitoring and security mode. Compared with the 14 5 memory, both of them are a real package, full memory in The monitoring mode and security mode are listed as: # 安 Access ... In the non-security mode: ... reject ... sex ... non-secure: two :::: Π non-secure 1 * production mode refuses security and monitoring mode Access to non-secure bodies. Therefore, access to the body is only allowed in the monitoring and security system, and it is only possible to increase security by improving the security. Mode memory. 讦 非 非 > Setting or booting can be performed in a monitoring mode that is deemed to require permissions. To allow resets in Security Mode and Supervisor Mode and examples of this device, the device · The weight is more ancient than a security mode and permission mode. However, many of the devices In the example, it is possible to switch directly between g-control modes, and it is possible to arrange t_ booting. "Two | Wang domain, and one security kernel 80 (or operating system month dagger, and one or most 49 200417216 applications 82, 84 may be implemented in security core 80. This security core and / or security application or any other code running in a security mode is allowed to access both secure and non-secure memory. A device with a processor describes an example of the present invention. The present invention can be deployed by a computer program that, when executed on a suitable processor, sets the processor with the operations described in this section.

In the following, referring to FIGS. 21 to 23, an alternative embodiment of the present invention refers to a model perspective from a programmer: In the following, the term used by us must be based on an ARM processor (from Cambridge, England). Designed by ARM Limited). • S bit ... The security status bit is included in a dedicated CP 1 5 login. # "Women's Sexuality / Unsafe Sex". This state is defined by the S-bit value. It indicates whether the core can access the security context (when it is in a security state, i.e., s = 1) or restricts only non-security contexts (s = 0). Please note that the monitoring mode (see below) takes precedence over this s-bit state.

# "Non-security contexts" are all hardware / software groups that can be accessed by non-security applications that do not require security. • A Security Context is a group of all hardware / software (core, memory ...) that is only accessible to me when executing security code. #Monitoring mode: A new mode that is responsible for transitioning between security and non-security states. In short, it is called on the core to always have access to non-security situations. #Only when the core is in the security state or monitoring mode, the core can save 50 200417216 to take the security situation. • smi: software monitoring interrupt: a new instruction that enables the core to enter monitoring mode through a dedicated sMI exception vector. "Thread lDj: an identifier associated with each thread (controlled by -OS). For some types of OS, a security function is called each time the OS is executed in a non-security context. An existing thread ID parameter needs to be passed to connect the security function with the non-security application it is calling. This security scenario can therefore support multiple threads. Call for security interrupts to define interrupts that are generated by security perimeters Designer's Module

Carbon Core Overview The concept of the term "Carbon architecture" used in this article for processors using this technology includes two scenarios, one for security and one for non-security. This security scenario must not leak any information into a non-security scenario. In the solution proposed in this article, the same (existing) login block will be shared by the security and non-security states. Therefore, all the existing patterns (Abort, Undef, Irq, User ...) in the ARM core will exist in each state. Thanks to the new status bit rs (security) bit 7C "'included in the dedicated CP15 registration, the core will know whether it is operating in a secure or non-secure state. An instruction or event allowed by the control modifies the s-bit, i.e., changes from one state to another, an important feature of system security. The 200417216 solution proposes to add a new mode "monitoring mode", whose "supervision" is switched between the two states. This monitoring mode (by writing in the appropriate cP15 login) is the only one allowed to change the S bit. Finally, the present invention proposes a method of adding some flexibility to exception handling. With the exception of Reset, all exceptions are either handled in their place or they are directed to the monitoring mode. Due to an exclusive one cpi5 login, this can be set. The details of this solution are discussed in the following paragraphs. The processor status and the new carbon features are safe or "! L security traits bear (S ^

A major feature of the Carbon core is the presence of the s-bit, which indicates whether the core is in a secure (s = 1) or non-secure (s =: 0) state. When in a state of security, the 'core can access any data in a security or non-security context. When in a non-security state, the core is limited to that security context. Will perform-/ one dish 1 labor insurance type, its priority is 疋 information. Even ... when it is in the monitoring mode, the core women have full access to the rights. For further information, please refer to the monitoring formula in the next paragraph. This is enough to read and write the $ bit in the current control mode. Regardless of the value of the s-bit 70 'If any other mode attempts to access it, if it is not ignored ^ leads to an —Undefined (undefined) exception. 52 200417216 Except for Reset, all exceptions will not affect the safety status bits. On Reset, the s bit is set and the core will start in supervisor mode. For more information, please refer to the booting chapter. The security / non-security state is separate and its operation is independent of the ARM / Thumb / Java state. Monitoring mode

Another important feature of the Carbon system is the creation of a new model, the "monitoring mode", which will be used to control core transitions between security and non-security states. It is always regarded as a security mode, that is, what is the value of the S bit. When in the monitoring mode, the core always performs security permission access to external situations. Any security permission mode (that is, the permission mode when S == 1) can be switched to the monitoring mode by only writing to the CPSR mode bits (MSR, mVS, or equivalent commander). However, it is prohibited in any non-security mode or security user mode. If this happens, the instruction is ignored or an exception is raised. There may be a need for a dedicated CPSR violation exception. By directly writing the CPSR from any non-security mode or security user mode, the exception can be caused by any intention to switch to the monitoring mode. When the monitoring mode is enabled, except for Reset, all exceptions are actually disabled: * All interrupts are masked; φAll memory exceptions are either ignored or cause a major exception. 53 200417216 The undefined / SWl / SMI was ignored or caused a major exception. When entering a monitoring mode, the interrupts are automatically disabled and the system monitoring should be written down 'so that no other types of exceptions will occur when the system monitoring is performed. The monitoring mode requires some private logins. This solution proposes that people only repeat the login of dare groups, that is, r 1 3 (sp —mon), R1 4 (lr —mon), and SPSR (spsr-rn ο η) 〇 In the monitoring mode, the MMU will fail (flat The same applies to flat address maps and MPUs or partition detectors (monitoring mode will always perform security access to external access) ^ However, especially the MPU area attributes (cacheability ... etc.) designed ) Is still enabled. Alternatively, the monitoring mode can use all mappings used by the security domain. New instructions The present inventors need to add a new instruction to an existing ARM instruction set. Use SMI (Software Monitor Interrupt) instruction to enter monitor mode (developed on a fixed SMI exception vector). This directive is mainly used to swap the indication monitoring between non-safety and safety status. Optionally (or additionally), < a new instruction can be added to allow the monitoring mode to store / restore the state of any other mode to / from the monitoring stack to improve the performance of content conversion. 54 200417216

As stated in the previous paragraph, 'Only a new mode is added. Existing modes are continuously available, and both security and non-security exist. In fact, Carbon users will understand the registration blocks provided by the embodiment of the present invention, as shown in Figure 21, which present security and non-security scenarios. This means that when monitoring one situation from the other through the monitoring mode, the system monitoring will need to store the content of the first scenario and generate (or restore) one content in the two scenarios. Passing parameters becomes Gu Yi's task: once the system monitors the reset, any information contained in one login in the first scenario is in the same login in the second scenario. However, in addition to a limited number of logins dedicated to strictly passing parameters, his login needs to be cleared when passing from security to non-secure state to avoid leaking any security data, which is ensured by the monitoring core. It is also possible to deploy a hardware mechanism or—new instructions—to clear the login directly when going from security to non-security. Another proposed solution involves repeating all (or large ^ login blocks' thus having separate login blocks on entities that are in a secure and non-secure state. "This solution has a clear core. In the state: The structure of the common environment is converted to and will be available at the time of the change. It needs to be all. It needs to be fully converted. [Several] There is a clear separation between the existing 55 200417216 security included in the login Of sexual and non-safety data. Fast content transitions are also allowed between security and non-security states. However, the disadvantage is that it is difficult to pass parameters through the login, unless we generate some specialized instructions to allow the security context to access non-secure logins. Figure 22 illustrates the available logins based on the processor mode. Note that processor status has no effect on this topic. Exception Security Interrupts Existing Solution 銮 The present invention proposes to keep the same interrupt pins, i.e., IRQ and FIQ, when in the existing core. Regarding the exception trap mask register (see below for details), there should be enough flexibility for any system to deploy and handle different types of interrupts. y I c Enhancement The present invention enhances VIC (Vectored Interrupt Controller) by the following methods: VIC may contain a security information bit associated with each white space address. This bit can only be designed by monitoring or security permission mode. It indicates whether the interruption considered should be considered security and therefore should be handled in security. The present invention also adds two new vector address registrations, one for all security interrupts that occur in a non-security state, and the other for all non-security interrupts that occur in a security profile. 56 200417216 The S-bit information contained in CP 15 is made available to the VIC as a new VIC input. The following table outlines some different possible processes, which are based on the status of the interrupt introduced (safety or non-safety, indicated by the S bit associated with each interrupt line) and the status of the core (in VIC, CP15 = S input S bit of the signal).

57 200417216

Anomaly management settings To improve the flexibility of Carbon, a new registration “Anomaly Capture Mask” will be added to CP 1 5. This entry contains the following bits: Bit 0: Undef exception (non-security state) Bit 1: SWI exception (non-security state) Bit 2: Prefetch abort exception (non-security state) Bit 3: Data abort Exception (non-safe status) Bit 4: IRQ exception (non-safe status) Bit 5: FIQ exception (non-safe status) Bit 6: SMI exception (non-safe / safe status s) Bit 16 : Undef exception (security state) bit 17: SWI exception (security state) 58 200417216 bit 18: Prefetch abort exception (security state) bit 19: Data abort exception (security state) bit 20: IRQ Exception (Security State) Bit 21: FIQ Exception (Security State)

The Reset exception does not always have a corresponding bit in the login. Reset always makes the core enter the security supervision mode through its exclusive vector. If a bit is set, the corresponding exception causes the core to enter the monitoring mode. Otherwise, it handles the exception in its corresponding manager in the context in which it occurred. This login is only visible in monitoring mode. Any instruction attempting to access it in any other mode is ignored. The login should be initialized to a system-specific value, depending on whether the system supports a monitoring. This function can be controlled by VIC. The exception vector table has security and non-safety scenarios, so separate security and non-safety exception vector tables are also needed. In addition, if the monitoring can also catch some anomalies, we also need a third abnormal vector table dedicated to monitoring. The following table outlines three different exception vector tables: In non-safe memory: The timing of automatic access to the address exception mode 59 200417216 0x00 _ • 0x04 Undef Undef When the core is in an unsafe state and the exception capture mask is registered, Undefined instruction executed [Non-secure Undef] = 0 0x08 SWI Supervisor (Supervision) When the core is in a non-secure state and the exception capture mask is logged in, the SWI instruction executed [Non-secure SWI] = 0 0x0c: ) refetch Abort Abort (Abort) When the core is in a non-safe state and the exception capture mask is logged in, the abort instruction [Non-secure Pabort] = 0 0x10 Data Abort Abort is in a non-safe state and the exception capture mask is in the core When the mask is registered, the execution suspension data [Non-secure DAbort] = 0 0x14 Reserved 0x18 IRQ IRQ When the core is in a non-safe state and the exception capture mask is registered, the set IRQ pin (assert) [ Non-secure IRQ] = 0 Ox 1 c FIQ FIQ When the core is in a non-secure state and the exception capture mask is registered, the FIQ pin set (assert) [pin] [ Non-secure FIQ] = 〇

60 200417216 In the security memory: The timing of the automatic access of the address abnormality mode 0x00 Reset * Supervisor resets the set pin 0x04 Undef Undef is executed when the core is in the security state and the exception trap mask is registered. Undefined instruction [Secure Undef] = 0 0x08 SWI Supervisor (Supervision) When the core is in a secure state and the exception capture mask is logged in, the SWI instruction [Secure SWI] = 0 Ox 0c Prefetch Abort Abort (Abort) in When the kernel is in the security state and the exception capture mask is logged in, the abort instruction executed [Secure Pabort] = 0 0x10 Data Abort Abort When the kernel is in the security state and the exception capture mask is logged in, the execution abort data [Secure DAbort ] = 0 0x14 Reserved 0x18 IRQ IRQ When the core is in the security state and the exception capture mask is registered, the set IRQ pin [assert] [Secure IRQ] = 0 Ox 1 c FIQ FIQ is in the core security When the status and exception capture mask are registered, the set FIQ pin [Secure FIQ] = 0

61 200417216 In monitoring memory (flat mapping): The timing of automatic access to the address exception mode 0x00--0x04 Undef Monitor (monitoring) is executed when the core is in a security state and the exception capture mask is registered. Undefined instruction [Secure Undef] = 1 Undefined instruction executed when the core is in a non-secure state and the exception capture mask is logged in [Non-Secure Undef] = l 0x08 SWI Monitor (monitoring) is in the core security state When the exception capture mask is registered, the executed SWI instruction [Secure SWI] = 1 When the core is in a non-secure state and the exception capture mask is registered, the SWI instruction executed [Non-Secure SWI] = 1 0x0c Prefetch Abort Monitor (Monitoring) When the kernel is in a secure state and the exception capture mask is logged in, the abort instruction is executed [Secure Pabort] = l When the kernel is in a non-safe state and the exception capture mask is logged in, the abort instruction is executed [ Non-Secure Pabort] = l 0x10 Data Abort Monitor (monitoring) executed when the core is in a security state and the exception capture mask is logged in Suspend data [Secure DAbort] = l 62 200417216 Suspend data performed when the core is in a non-secure state and the exception capture mask is logged in [Non-Secure DAbort] = l 0x14 SMI Monitor (monitor) 0x18 IRQ Monitor (monitor) Set IRQ pin (assert) [Secure IRQ] = 0 when the core is in a security state and the exception capture mask is registered (set ( IRQ pin of assert) [Non-Secure IRQ] = 0 Ox 1 c FIQ Monitor (monitor) When the core is in a safe state and the exception capture mask is registered, the FIQ pin of the assertion is set. ) [Secure FIQ] = 〇 When the core is in a non-secure state and the exception capture mask is registered, the set FIQ pin is [Non-Secure FIQ] = 〇 In the monitoring mode, there can be two An exception vector, so each exception will have two different correlation vectors: one for exceptions that appear in a non-security state, one for exceptions that appear in a security state 63/216/216 because the monitoring core no longer needs to SMI is the most suitable selected from the transition between the full state. This can reduce the abnormal waiting time and detect the initial state where the abnormality occurred. Please note that this feature is limited to one of some alternatives, to improve the security between security and non-security situations. ^ When changing between states, age approval ^ stored in the control mode must be in it The monitoring stack of one state stores the contents of one state, and Γ & ^ ί restores the monitoring mode in the second state from the monitoring stack because it needs to access any login of any other mode, including private login (r14, SPSR ...). ▲ In order to deal with it, the solution proposed by the present invention includes security and mind, and grants any permission mode to be directly converted to the monitoring mode by simply writing CPSR. Such systems that switch between contexts are implemented as follows: • Entering monitoring mode φ Set S bit Φ Switching to supervisory mode-Storage monitor is logged into the MONITOR stack (of course, supervisory mode requires access to the monitor stack indicator, but This is easy to do, for example by using a normal login (R0 to R8)) • Switch to System mode-store login (as user mode) on the monitoring stack 64 200417216 fRQ login on the monitoring stack

It is simpler than CPSR. Once all private logins of all modes are stored, the MSR instruction returns to the monitoring mode (only the monitoring value mode field is written). Other solutions are also considered: own stack storage, other # add a new instruction , Which allows to monitor private logins in mode. Deploy monitoring with the new "state", that is, see the IRQ (or any other) private login in the monitoring state (with the appropriate access rights) and in the IRQ (or any other mode). Basic process (Please refer to Figure 23) I Thread 1 is executed in a non-safety context (S bit == 〇), this thread needs to execute a security function => SMI instruction. 2 · S MI instruction makes the core borrow A non-secure s MI vector enters the monitoring mode. LR_mon and SPSR_mon are used to store the PC and CPSR in the non-secure mode. The s bits remain unchanged at this stage, although the system is now in a security state The monitoring core stores non-security content in the monitoring. It also sends LR_mon and SPSR_m ο η. At this time, the monitoring core changes the S bit by writing c P 1 5 login. In this embodiment, The monitoring core keeps track of a "security thread 1" in that security context (for example, by updating a thread ID table). Finally, it exits monitoring mode and transitions to security supervision mode. 3 · Security Core Sending Application To the correct security memory location, and then switch to user mode (for example, using MOVS). 4. Perform security functions in the security use mode. Once completed, perform the appropriate SWI call by " "EXit" function. 5. The SWI command causes the core to enter the security svc mode through a dedicated SWI to the cover and sequentially execute the "exit" function. The "exit" function ends with a " SMI, to switch Back to monitoring mode. 6. The SMI instruction enables the core to enter monitoring mode by using the exclusive security SMI vector. LR_mon and SPSR_mon are used to store the security PC and CPSR in svc mode. The S bit remains unchanged (such as security Status). The monitoring core logs in the fact that the security thread 1 is completed. After that, it logs in by writing CP15 and changes the s bit 'to return to the non-security state. The monitoring core self-monitors the stack to restore non-security content It also loads the LR_mon and CPSR_mon remaining in step 2 in advance. Finally, exit with a SUBS (this command will return the core in non-secure user mode). Control mode. 7 · Thread 1 can resume normally. Refer to Figure 6 'All logins are shared between the security and non-f and non-female holistic domains. In the monitoring mode, the switchover to the eighth furnace occurs. The transition from one of the secure and non-secure domains to s ^ 卞 to the other. It involves storing the state of a login that exists in one domain, and writing a new state in the other domain To this log 66 200417216 (or restore the previously saved state at this log), as described in the "Conversion Between Contexts" section above. I want to reduce the time it takes to perform the conversion. In order to reduce the time it takes to perform this conversion, when switching between secure and non-secure domains, the shared registry is disabled so that the value of the data stored in it remains unchanged. For example, consider a transition from a secure domain to a secure domain. For example, suppose the FIQ login shown in Figure 6 is not needed in a security context. As a result, those logins are disabled, they do not need to be transferred to a secure domain, and they do not need to be stored. Disabling the login can be achieved in several ways. One way is to lock the modes that use those logins. Control bits are written to achieve this in a CP15 login indicating the failure mode. t select the location 'can be based on the instruction again, and the access to the registration is disabled by writing the control bit 7G to a CP15 registration. The bits written in the CP15 login are only related to the login, not the mode, so the mode is not invalidated, but the access to the login of the mode is invalidated. The FIQ registry stores data related to rapid interruptions. If the hq login fails and a fast interrupt occurs, the processor sends an abnormal signal to the monitor. In response to different commitments, the "monitoring mode is operable to store any data value related to a domain and stored in the above-mentioned invalid records, and carry the new data value of the registration related to other domains", and then enable the FIQ mode log in. It is possible to have a women's volleyball processor, so that when the processor changes the domain, the block registration in monitoring, ,, and monitoring will be invalid. Optionally, when switching domains and other programmers choose to fail, the invalidation of the registry can be selected using some of the presets in the 67 200417216 shared registry. When switching domains in monitoring mode, processors can be arranged, one or most of the shared logins are disabled, and one or most of the other shared logins' data is stored when leaving a domain, and new data is loaded into another domain. The new data can be null data. Figure 24 illustrates the concept of adding a security option to a traditional ARM core. The figure illustrates that a processor containing security processing options can be formed by adding security processing options to an existing core. The system wants to have backward compatibility with an existing operating system, and it will be considered that the existing system is a traditional non-security part that operates on a processor. However, as shown in the lower half of the figure and will be described below In further detail, in fact, an existing system operates on the security part of the system. Figure 25 shows a device with a secure and non-secure domain, and the reset is similar to Figure 2. Figure 2 illustrates a process suitable for performing a security-sensitive operation, which controls the process in a security domain with a security system, and controls in a non-security domain with a non-security 0 S deal with. However, the processor is also an inverse of a traditional legacy operating system, and thus the processor can operate using an operating system using a non-security sensitive method. As shown in Figure 25, the reset in the security domain and the reset that occurs regardless of the type of operation that has the S bit or security status flag set. In the case of a non-security-sensitive type of operation, it is reborn in the security domain and then continues processing in the security domain. The legacy operating system control process did not know the security aspect of the system. In order to make it a net to deal with how to feel points. The event processor, OS system is compatible with the previous version. However, as shown in Figure 25, a reset is performed to set the address of the start processing point in the security monitoring mode, regardless of whether the processing is performed. Security sensitive is in fact not security sensitive. Once a reset has been performed, additional tasks occur during subsequent power-on or power-on. The boot mechanism is not detailed. Boot mechanism The boot mechanism must take into account the following characteristics: • Maintain compatibility with older operating systems. • Power on in the most privileged mode to ensure system security. therefore. The Carbon core will boot in the safety oversight mode. The different systems will be: • For systems that want to execute an older operating system, there is no S bit, and the core will only know that it is in oversight mode. In the system using Carbon features, the core is booted in the permission mode, and the security permission mode should be able to protect all the security in the system (possibly after switching to the formula). As for the details of the above boot mechanism, the embodiments of the present invention A processor is provided to begin processing in all situations in a security oversight mode. In the case of a non-security-sensitive type of operation, although it is not a problem here, because the S bit is set (despite the operating system), the operating system is actually operating in the security domain. It points to the parts of memory that cannot be accessed from non-secure domains. Under this, you can configure or execute a [see below. Consider this machine. The security is set under the monitoring controller. The integrity is unknown. There is an excellent case. 69 200417216 is accessible. In all cases, booting in a safety oversight mode is also beneficial to a fully sensitive system, as it helps ensure system security. In security-sensitive systems, the address is provided at boot time to where the boot program is stored in the security monitoring mode, and therefore allows the system to be set to a security system and switched to monitoring mode. In general, switching from the self-safety monitoring mode to the monitoring mode is allowed, and the security system is enabled at an appropriate time to start processing in the monitoring mode to initialize the monitoring mode architecture. Figure 26 illustrates the first step. A non-safety thread NSA is performed by a non-safety operating system. In the second step, non-security execution NS A monitors the mode by executing a monitoring mode program in the third step, which is called a security domain. The monitoring mode program changes the S bit to change the domain, and performs any necessary content storage and content restoration before moving to the security operating system in step 5. Then before step 6 is interrupted by an interrupted irq, the corresponding security thread SA is executed. In step 7, the interrupt hardware triggers a return to the monitoring mode, where it is determined whether to be processed by a secure operating system or a non-secure operating system. In this case, the interrupt is handled by the non-secure operating system starting at step 9. When the interrupt is handled by the non-secure operating system, the non-secure thread NSA has resumed as an existing task in the non-secure operating system before the normal thread switching operation of step 11. This thread may be the result of a time event or the like. In the 12th step, the security operating system performs a different execution of the NSB in the non-secure domain. At this time, in the 14th step, the system is monitored by the monitoring domain / program. The coordination of harmony is step security for non-linearity. 70 200417216 For network use, due to the whole body of all the participants, the system has been returned to Anqiang rationality to call. In step 7, the L ^^ control program stores a flag. Some other mechanisms are used to indicate that the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The operating system was suspended because a middle school was last suspended, rather than a ^^^^^ Intuition has been completed and left for a normal request, and just ^ 丄 餍. Therefore, because the sexual operating system was suspended by an interruption, & now, in step 15, the monitor program refers to the interruption of software imitation 'to escape again — Dan enters the security operating system and the imitation interruption setting is Upon return, the vanadium oxide thread ID is returned. (For example, when it is requested by the NS thread SB, the identifier started by the ^ ^ holistic operating system, other parameters are carefully introduced, and the same is true). The number of software imitation interrupts can be passed as a registered value. ′ In step 15, the fake software interrupt triggers a security test. Return to the interrupt manager routine. Xi, no 丨 忭 if

Formula 5 Hai Return Interrupt Manager routine check name The return thread ID of the imitation interrupt 〇 A ^ U determines whether the ID of the security SA is met, _ execution trace before the last security system suspension. In this case, there is no ^ u + and therefore in step 10,

After the security thread SA Kariya is stored, the security system is triggered to convert the thread into a non-female omnidirectional thread set by the NSB. After that, he can re-open the full thread SA at the request β ~ 《Yu from the interruption point. Figure 27 illustrates in another example of the behavior type shown in Figure 26. 'When the program is under the control of a non-safety operating system with this IRQ, there is no non-safety thread transition, and therefore # When the software imitation interrupt is received by the return interrupt manager of the security operating system, the dragon does not need any thread conversion and in step 15 it just resumes enabling or installing the security software. This decision 71 200417216 I omnidirectional thread SA. Figure 28 is a flowchart illustrating the processing performed by the return thread manager. The return thread manager is started in step 4002. In step 4004, when the security operating system is suspended, the return thread identifier of the software imitation interrupt is checked and compared with the existing execution security thread. If they match, the process proceeds to step 4006, where the security thread resumes. If the comparison in step 4004 does not match, the program proceeds to step 4008, where the content of the old security thread is stored before step 4010 transitions to the new security thread (for re-continuation later) . The new thread is already in progress, so step 4010 is resumed. Coordinate mission operations with other non-secure and software applications, and any corresponding formulas in the line will be controlled ^ _ irrelevant, whereby a controlled security operating system can be switched by the main control non-secure Sexual operating system execution. The main control non-security system can be an old operating system without a monthly communication mechanism, which acts to cooperate with other operating systems, and therefore only acts as a master

O Jjl ^ l ^ oF rK Q One of the initial entry points in the graph, the non-safety operating system has a subordination to the NSA. The non-safety thread NSA calls the thread, and the λ μ female general thread is intended to be executed by the security operating system (-MI call). In the second step, the SMI calls a monitoring program which is executed by 楹 +, German, and Ba. Based on this, the monitoring program * requires the internal t ^ before the 4th step of the call is pushed into the security operating system. ^ Load and convert. At this point, the safety operating system is fully committed to defending the τbound SA. The security thread may be returned to a non-6 female holistic operating system through a monitoring system, such as due to certain current events 72 200417216 or similar. At step 9, when the non-safety thread NSA re-transmits control to the secure operating system again, it does so by issuing the original software interrupt again. The software includes the non-safe thread ID identifying the NSA, the security thread ID identifying the target security thread ID to be enabled, the thread ID identifying the security thread SA, and other parameters.

When the call generated in step 9 is passed by the monitoring program and received in the secure domain by the secure operating system in step 12, the non-secure thread ID can be checked to determine whether it has been Non-secure operating systems converted content. You can also check the security thread ID of the target thread to see if the correct thread under the security operating system has been restarted or started with a new thread. In the example in Figure 29, no thread conversion is required by the security operating system in the security domain.

Fig. 30 is similar to Fig. 29, except that in the ninth step, the thread transition occurs under the control of the non-safety operating system and occurs in the non-safety domain. Therefore, in step 11, it is a different non-security thread NSB that makes the software interrupt call across the secure operating system. In step 14, the security operating system confirms the different thread IDs of the non-security thread NSB, and thus performs a task transition involving storing the content of the security thread SA and starting the security thread SB. FIG. 31 is a flowchart illustrating a process performed by the security operating system when a software interrupt is received as a call to start or resume the thread of the security operating system. In step 40 12 the call is received. In step 4014, the parameters of the call are checked to determine whether they are 73 200417216 in the security operating system and are consistent with the security threads currently enabled. If so, restart the security thread at step 4016. If not, the process proceeds to step 4018, where a decision is made as to whether the newly requested thread can be used. The newly requested thread may not be available because it is or it requires a unique resource, and the resource is already used by some other thread in a secure operating system. In this case, in step 4020, an appropriate message is returned to the non-secure operating system to reject the call. If it is determined in step 40 1 8 that a new thread is available, the process proceeds to step 4022, in which the contents of the old security thread are stored for possible restarting later. At step 4024, a switch to a new security thread is performed as in the case of a software interrupt call to the security operating system. Fig. 32 illustrates an operation according to which a priority inversion is performed. When interrupts are processed in one of the systems having a plurality of operating systems, different interruptions are handled by different operating systems. The process starts with the security operating system executing a security thread SA. Then interrupted by-the first interrupt Int '1. It triggers a monitoring program in monitoring mode to determine whether the interruption is to be handled in a secure or non-secure domain. In this case, the interrupt is intended to be processed in the security domain, and the program returns to the secure operating system and starts the interrupt processing routine of interrupting Int 1. By executing the interrupt processing routine of Int 1 midway, a further interrupt Int 2 with higher priority is received. Therefore, stop the interrupt manager of Int 1 and the monitor program used to determine where the interrupt Int 2 is handled in the monitoring mode. In this case, the interrupt Int 2 is handled by the non-safety operating system 74 200417216, and therefore passes control to the non-safety operating system and the interrupt manager of the original Int 2. When the manager of interrupt Int 2 is completed, the non-security operating system does not have the information indicating that the service is suspended in the security domain. The interruption Int 1 therefore, the non-security operating system can perform some further steps, such as tasks Switch or start a different non-safe thread NSB while still failing to service the original interrupt Int 1. Figure 33 illustrates a technique to avoid problems related to the operation of Figure 32. When interrupt Int 1 occurs, the monitor passes it to a non-secure domain at the start of the stub interrupt manager. The stub interrupt manager is a relatively small and fast interrupt manager that returns the process to the security domain through the monitoring mode and triggers the interrupt Int 1 in the security domain. The interrupt Int 1 is mainly processed in the security domain, and the startup of the stub interrupt manager in the non-security domain can be regarded as a type of location keeping record, which indicates the non-security domain, and the interrupt is in the security domain. Domain suspended. In the security domain, the interrupt manager for interrupt Int 1 is once again dominated by the high priority Int 2. In non-safety domains, the execution of the interrupt manager for Int 2 is still triggered. However, in this case, when the interrupt manager for Int 2 is complete, the non-secure operating system has the data to indicate the interrupt manager for the stub, because the interrupt Int 1 is still outstanding and the stub will therefore be resumed Interrupt manager. The stub interrupt manager will appear as if it were suspended at the point where it is making a call back to the secure domain, whereupon the call will be performed again and therefore transitioned to the secure domain. Once back to the security domain, the security domain is able to interrupt itself again at the location where it was interrupted. When the interrupt management of interrupt int i is completed in the security domain, make a call back to the non-security domain to close the stub interrupt management in the non-security domain before the original execution of the security thread SA resumes Device. Figure 34 illustrates the different types of interrupts related to the priorities of the daggers and how to deal with them. You can use a purely secure domain interrupt manager to handle high priority interrupts, ensuring that no higher priority interrupts are handled by non-secure domains. Once an interrupt has a higher priority than subsequent interrupts' and is processed in a non-secure domain, all lower-priority medians are either handled purely in the non-secure domain or are used in Figure 33. Stub interrupt manager technology, based on which non-secure domains can continue to chase those interrupts, even if they mainly deal with those who happen in the secure domain. As mentioned earlier, the monitoring mode is used to perform the transition between the security domain and the incomplete domain. In the embodiment, the common registration in two different domains involves storing the states in the registrations into memory, and loading the new state into the registration from the memory for the destination domain. For any login that is not shared between domains, there is no need to save the state, because the login will not be accessed by other domains, and the transition between these states is between secure and non-secure networks. A direct result of the conversion between domains (ie, the value of the S bit stored in one of the CP15 logins determines the unused logins used). When the processor sets data in the monitor mode to control the processor's access to the memory, some states need to be switched. Because the memory in each domain is different, for example, the security domain accesses the security memory device, all y are all traced first, then two are made in total memory 76 200417216 security Data, the secure memory cannot be fetched from a non-secure network. Obviously, the processor setting data will need to be stored in the CP15 registry 34 as shown in Figure 35 when the domain is switched. In an embodiment, the logins are shared between the domains. When the monitoring is switched between the secure domain and the non-secure domain, the processor setting data existing in the CP 1 5 login 3 4 needs to be rotated. Out to the memory, and the processor setting data related to the destination domain is loaded into the CP15 registry 34. Because the processor setting data in the CP 1 5 registration usually has an immediate effect on system memory access, it is clear that if the processor updates them during operation in the monitor mode, these settings will immediately occur. For a static monitoring mode in which the processor setting data is to be set in the monitoring mode, this is undesirable. Therefore, as shown in FIG. 35, a specific processor setting data 2000 is provided in an implementation of the monitoring mode of the present invention, which can be used to overwrite the processor setting data 34 of the registration 3 4 when the processor is operating in the monitoring mode. . As shown in FIG. 35, when it is input, it can be achieved by receiving the processor setting data and monitoring mode registered in the CP 1 5 through the multiplexer. In addition, the multiplexer receives a control signal via path 20 1 5 to indicate whether the processor is operating in the monitor mode. If the processor is not operating in the monitoring mode, the processor setting data of CP 1 5 login 3 4 is output to the system, but if the processor is operating in the monitoring mode, otherwise, the multiplexing to 2010 output monitoring mode is exclusive The processor sets the data 2000 to ensure that the domain is protected from changes. Device setting 〇 Mode CP15 is required for mode control. In the state setting example, CP15 is used in 2010 and 2010 is dedicated to 2010. When operating at the place where the converter should use 77 200417216, the system design should be monitored in the system design. It should be in the above-mentioned real memory mode in any group of individual modes that are exclusive to the monitoring model The time to entity is arranged, that is, the address of the device can be set as the status of the bit processor. In the monitoring mode, the processor usually allows the processor to access the form of memory. The data manager sets the data to be consistent. When the processor is in the monitoring mode, the dedicated processor setting data can be written in Hard-C (> ded) to ensure that it cannot be stunned. However, it is also possible to program the dedicated processor setting data in the monitoring mode. 'Without prejudice to security, when operating in the security permission mode, ensure that the processor can only be modified by the processor-specific setting data. As far as the settings of the dedicated processor settings in the monitoring mode are concerned, this allows some flexibility. If this monitoring is scheduled The module processor setting data is programmable, so it can be stored in the system in an appropriate place. One of the records in 34 is registered in 3. 4. Often, the monitoring mode dedicated processor setting data is set to provide a very secure environment for the operation of the processor during monitoring. Therefore, in the embodiment, the monitoring mode dedicated processor The setting data may set the management unit 30 to be invalid. When the processor is operated in the monitoring mode, the virtual memory translation that may be applied by the memory management unit is invalidated. Under such conditions, the processor It will always send the physical address directly. When a memory access request is issued, I /, T and T will be able to reliably access the memory, regardless of whether any virtual to real telegraphy is compatible. The comprehensive data of the dedicated processor 2 of the 'Monitoring Mode'. It is better to have a network domain. In the security processor 78 200417216 setting data, the domain status bits with the same value will be set to the network with the same value. Domain status bit (" S "bit). Therefore, regardless of the actual value of the domain status stored in the CP 15 registry, the value will be set by the network set by the monitoring mode dedicated processor setting data The status bit overrides to determine that the security mode has accessed the security data. The monitoring mode-specific processor setting data can set other data to control access to part of the memory. For example, when the processor is operating in the monitoring mode In the monitoring mode, the dedicated processor setting data can be set to cache 3'8. Do not use it to access the data. In the above embodiment, it has been assumed that all CP 1 5 registrations containing processor setting data are shared between network domains. However, in an alternative embodiment, some CP15 entries are "banked". For example, there are two entries for a specific item used to store processor configuration data. One entry may be in a non-secure domain. The value of an item in the access and containing the processor configuration data of the non-secure domain, and another item registered in the security domain that can be accessed in the security domain and contains the processor configuration data of the secure domain A CP15 login that is not blocked is a "S'1 bit", but in principle any other CP 15 registration can be blocked if desired. In such embodiments, the conversion of the processor setting data by the monitoring mode involves the conversion of any shared CP 1 5 registrations into memory, and now the processor setting data is in the shared registrations, and In these shared CP 1 5 registrations, the processor setting data related to the destination domain is loaded. For any block registration, it is not necessary to store the processor setting data in the memory 79 200417216. On the contrary, due to the change of the s-bit value stored in the associated shared CP 15 registration, the conversion will occur automatically. As mentioned previously, the monitoring mode processor setting data will have a domain status bit that overrides the data stored in the CP15 registry, but has the same value as the domain status bit for the security domain (ie, in the The S-bit value 1) in the above embodiment. When some CP 15 logins are partitioned, it means that at least part of the monitoring mode-specific processor setting data 2000 in Figure 35 can be derived from the security processor setting data stored in the partitioned registration, because in These registrations are not written to the memory during the conversion process. Therefore, as an example, the dedicated processor in the monitoring mode will set a domain status bit to cover users who are not in the monitoring mode. However, in the preferred embodiment, it has the same value as the user in the security domain, which means that the logic for selecting the accessible CP15 login is to allow access to the secure CP 15. By allowing the monitoring mode to use the security processor setting data as the relevant part of the monitoring mode-specific processor setting data, the storage of resources can be implemented because it is no longer necessary to provide these items for the monitoring mode-specific processor setting data A set of individual logins. Fig. 36 is a flowchart illustrating the steps for performing the conversion of the processor setting data when the conversion is required between a network domain. As mentioned earlier, an S MI command is issued to facilitate the transition between the domains. Therefore, in steps 20 to 20, an SMI instruction is issued. When receiving an SMI instruction, the processor proceeds to step 2030, where the processor starts executing a monitoring program in the monitoring mode, which causes the processor-specific data of the monitoring mode to be used as a path to the multiplexer 2010 2015 As a result of the control letter 80 200417216, the multiplexer converts the monitoring mode data. As mentioned earlier, it may be a set of self-contained to go from the security processor stored in the partitioned login to some parts. ° Thereafter 'in step 2040, the self-issued ^ ⑷ refers to the domain storage of the existing state, which includes a portion of the memory from any shared storage state of the processor setting data related to the above domain for storing this For class status. In the step, the conversion status indicator points to the memory containing the destination domain. Therefore, in general, in order to store the status information, two configurations are configured to store the state of the non-secure domain, and one configuration of the state of the adaptive domain. Once the status indicator has been converted in step 2050, the current status is loaded into the relevant female in step 2060. After it contains the relevant processor loaded in the destination domain, in 2070 Steps, when in the monitoring mode, and then the processor switches to the required one in the destination network domain; FIG. 37 illustrates in detail the operation of the record 30 of an embodiment of the present invention. The memory management logic includes a record (MMU) 200 and a memory protection unit (MPU) 220. Any access request issued by the core 10 of the intended address will pass through to the MMU 2000, which is responsible for performing reservations, especially determining the physical address permissions corresponding to the virtual address and determining the attributes of the area. The data belongs to the processor setting, or you can set the data acquisition order to register to CP15 in the memory. Usually, after dialing, part of the memory in the state corresponding to the 2050 will be stored as a status indicator under safe storage. ^ Use CP15 to register the setting data. This control program exits the mode. Memory management logic Memory management unit The access control function passed by a virtual path 234 is set and determines access 81 200417216 Data processing equipment% Memory system contains security memory

When operating in a domain. Security memory and non-secure security memory only other master devices, when operating and therefore on the safety net in the implementation of the invention in the 37th place *, in the non-security mode

According to a preferred embodiment of the present invention, a non-secure page table 58 is provided in the non-secure memory, such as a non-secure memory portion of the external memory 56, and is used for each of the definitions in the page table. A non-feminine memory area stores a corresponding descriptor. The information contained in the descriptor can be used to obtain the access control information required for the MMU to perform a predetermined access control function, and accordingly, in the embodiment described with reference to FIG. 37, the virtual to Information about physical address mappings, access permissions, and any locale attributes. In addition, according to a preferred embodiment of the present invention, the security of the memory system provides at least a security paging table 58, such as in a security section of the external memory 56, which is again defined in the table Some memory areas provide an associated descriptor. When the processor is operating in a non-secure mode, it will refer to the non-secure paging table to obtain relevant descriptors for managing memory accesses. Conversely, when the processor is operating in secure 82 200417216 sexual mode, Descriptors from the security paging table will be used. The process of obtaining the descriptor from the auto-correlated paging table to the MMU is as follows. The memory access request issued by the core 10 sets a virtual address, and a query is executed on the micro-TLB 206 (TLB is the main translation lookaside buffer), which is one of the virtual address parts. The corresponding physical address portion of the autocorrelation paging table. Therefore, the micro-TLB 206 will compare a certain part of the virtual address with the corresponding virtual address part stored in the micro-TLB to determine compliance. The part of the comparison is usually some predetermined number of most significant bits of the virtual address. The number of bits is based on the paging granularity in the paging table 58. Queries executed in the micro-TLB 206 are generally relatively fast because the micro-TLB 206 includes only relatively few S items, such as eight items. When no hit is found in the micro-TLB 206, the memory access request is passed via the path 242 to the main TLB 208 containing some descriptors obtained from the paging tables. As will be discussed further below, descriptors from both the non-security paging table and the security paging table can coexist in the main TLB 208, and each entry 1 in the main TLB has a corresponding flag (this article (Referred to as a domain flag), which can be set to indicate whether the corresponding descriptor in the item has been obtained from a security paging table or a non-security paging table. I will understand that for all security mode operations that directly set the physical address in their memory access request, such flags in the main TLB are not needed, and when the main TLB stores only non-security descriptors Time. In the main TLB 208, execute a similar query procedure to determine whether it is 83 200417216 or not. The relevant part of the virtual address issued in the ^ it body access request corresponds to any virtual bit related to the descriptor in the main TLB 208 Address part, and this particular TLB is related to a specific mode of operation. Therefore, if the core i 〇 operates in non-security mode, only those descriptors in the main TLB 2008 that have been obtained from the non-security paging table will be checked, otherwise if the core i 〇 operates in security mode, Only the descriptors that have been obtained from the security paging table are checked in the main TLB. If there is a match in the result of the check processing in the main TLB, the access control information is extracted from the relevant descriptor and transmitted via the path 242. In particular, the virtual address part of the 'descriptor' and the corresponding physical address part will be routed to the micro-TLB 206 via the path 242 to be stored in an item in the micr0-TLB, loading the access permission to The access permission logic 202 is loaded, and the region attribute is loaded into the region attribute logic 204. The access permission logic 202 and the area attribute logic 204 may be separated from the micro-TLB or may be incorporated in the micro-TLB. At this point, the MMU 200 is able to process memory access requests, as there is now a match in the micro-TLB 206. Therefore, micr0-TL] B 2 06 will generate a physical address, which may be output to the system bus 4 0 via path 23 8 to be routed to the relevant memory, if not by chip integration (on- chip) memory, such as TCM 36, cache 38, etc., is one of the external memory units accessible through the external bus interface 42. At the same time, the memory access logic 202 will decide whether to allow the memory access, and if the core is not allowed to access the specific memory address in the operation of the existing mode, it will send a 〆stop signal back to the core via path 2 30 1 〇. For example, 84 200417216, whether in secure or non-secure memory, when the core is operating in supervised mode, the core sets certain parts of the memory to be accessible only by the core, and therefore, when used in, for example, In the user mode, if the core attempts to access such a memory address, the access permission logic 202 will detect that the core 10 does not currently have appropriate access permissions, and issue a suspension signal via path 230. This will suspend memory access. Finally, the region attribute logic 204 will determine the region attributes of a particular memory, such as whether the access is cacheable, bufferable, etc., and issue such signals via path 232, which will be used to determine memory storage Whether the requested data can be cached, for example, in the cache 38, whether the written data can be buffered in the case of write access, and so on. In the case that there is no match in the main TLB 208, the translation table walk logic 210 is used to access the relevant paging table 5 8 to intercept the required descriptors through the path 2 4 8 and then The path 246 security entry CP15 security net is set, and when the content is reversed and vice versa, a translation table is executed on the net. Then in the order description page table and 34, the domain or non-switching is in non-, the domain is in this document, and the virtual bit is passed to the main TLB 208 for storage and retrieval. The base addresses of both the security paging tables will be stored in the existing domains operated by the processor core 10, the security domains, and the women ’s comprehensive domains and security domains in a login of CP 15 When this happens, the status registration will be set by the monitoring mode. The domain status will be called the domain bit. Therefore, if it is necessary to execute the order, the translation table walking logic 210 will know the core and therefore know that the base address used to access the related table is used as compensation for the base address, in order to store it in the appropriate paging table. Take the appropriate item to obtain the required descriptor β Once the descriptor is taken by the translation table walking logic 21, and placed in the main TLB 208 ', a match will be obtained in the main TLB, and the previous call will be made The procedure described is to retrieve access control information and store it in micro-TLB 206, access permission logic 202 and area attribute logic 204, and then memory access can be performed by MMU2000. As mentioned earlier, in the preferred embodiment, the main TLB 208 can store descriptors from both the secure and non-secure paging tables, but once the relevant information is stored in the micro-TLB 206, only Processed by mMU 2 00 § Memory access request. In the preferred embodiment, the data transmission between the main 208 and the micro-TLB 206 is monitored by a segmentation detector 222 located at the Mpu 22o to ensure that when the core io operates in a non-security mode, there is no The access control information is passed from the descriptor in the main TLB to miCr0-TLB 206. If so, it will cause a physical address to be generated in the security memory. —The memory protection unit is managed by the security operating system, which can be used to define the division between the safety δ memory and the non-safe memory, and the registration of 5 3 4 cuts. Then the segmentation detector 2 2 2 can refer to the tool information to determine whether the access control information is transmitted to micr0-TI stomach 0 6 ', which allows the core 1 0 to access the security hidden in a non-security mode. What's more 'In the preferred embodiment, when the core, 10 is operating in the security mode, as in the cpi5 domain status registration, the domain bit is set to 6 by the monitoring mode. Unusually, the segmentation detector 222 can be operated ... path 2 ", and the monitoring attempt is to take any physical part of the TLB208 from 86 200417216 micro-TLB 206, and based on the physical part, decide whether it will be the virtual bit later The physical address generated by the address in the security memory. In this case, the partition detector 222 sends a stop signal to the core 2 0 to prevent the memory access. I will understand and be able to arrange the partition The detector 2 2 2 is stored in the micro-TLB 206 to prevent the body address portion, or the selective address portion is still stored in the micro-TLB 206, but the discontinued portion will be incorrectly removed from the micro-TLB 206. The physical address is deleted, for example, by clearing the micro-TLB 206. As long as the core 10 is in a non-security mode and a security mode is changed by the monitoring mode, the monitoring mode will change the domain status of the C p 1 5 domain. Bit value 'to indicate the processor The domain that the operation becomes. Part of the transfer process between domains will clear micr0TLB 206. Therefore, the memory access after the transfer between the secure domain and the non-secure domain will be in the micro- The TLB 206 generates a miss, and intercepts the access information from the main TLB 208, or directly retrieves the relevant descriptors from the relevant paging pages. By the above method, we will understand that the segmentation detector 2 2 2 will act as the core in non-security When operating in the sex domain, if you intend to intercept the micro-TLB 206 access control information that allows security 5 memory, the memory access will be suspended. If the processor core 10 is in any mode of operation, arrange memory access Request to directly set the “physical address, it will be invalid in the operation of MMU 200” and the physical address will be passed to path 236

The address is via the student. The registration action between the substantiation of the physical entity, and the first and the last table, please ensure that the accessor is integrated as a module MPU 87 200417216 220 〇 The summation zone defined in the attribute logic domain is in the only division, the logic of the intention 202 In the core address buffered pseudo address access, from this kind of program monitoring module bit fetches the CP15 ^ body address via the flow of the road map. In a security mode of operation, the access permission logic 224 and the region series 226 The necessary access domain attribute analysis is performed according to the access permission authority and area attributes of the corresponding zones registered in the cpi5 34 segmentation information registration. If the location of the secure memory that is being accessed can be accessed in a particular mode operation, such as a security permission mode, then the core operates in a different mode ^ access, for example, a security The user mode will result in a suspension of the access permission 224, and a suspension method in such an environment with the same access permission logic as the MMU. Passing through path 23 to the same, the area attribute logic 226 will generate a fast The fetch and signal can generate such signals with the same area attribute logic 204 as the MMU in place of a dummy memory access request. It is assumed that the access request at this time is allowed to proceed to the system bus 40 via the path 240, which is routed to an appropriate memory unit. In order for the access request to specify a non-secure access to a physical address, the storage will be routed to the partition detector 222 via path 236, which refers to the partition information of Listing 34 to perform a partition check to determine whether it is real A position is specified in the security memory. In this case, a stop signal will be generated in 230 again. The procedures for describing the memory management logic are now described in further detail with reference to Figures 39 and 40. FIG. 39 illustrates a case where a virtual address is generated when the core 10 executes, as shown in step 300. The relevant domains set in the CP 1 5 domain status registration 34 according to the formula will indicate whether the core is now in a secure or non-secure network.

88 200417216 in the domain. In this case, the core is being executed in a security domain, and the process proceeds to step 302, in which a query is performed in the micro-TLB 206 to find out whether the relevant part of the virtual address matches the virtual address in the micro-TLB Part one. If it matches in step 302, the process proceeds directly to step 312, where the access permission logic 202 performs the necessary access permission analysis. At step 314, it is determined whether there is an access permission violation ' and if so, the program proceeds to step 316 where the access permission logic 202 issues a suspension via path 230. Otherwise, if there is no access permission violation ', the process proceeds from step 314 to step 3 1.8, where memory access is performed. In particular, the area attribute logic 204 will output the necessary cacheable and bufferable attributes via path 232, and the micro-TLB 206 will issue the physical address via path 238 as described earlier. If there is a discrepancy in micr0-Tlb in step 302, a query procedure is performed in the main TLB 208 in step 304 to determine whether the required security descriptor exists in the main TLB. Otherwise, a paging table walking program is executed in step 306, and the translation table walking logic 210 obtains the required descriptors from the security paging table, as described earlier in FIG. 37. At this time, the program proceeds to step 308, or directly from step 304 to step 308 'if the security descriptor already exists in the main TLB 208. At step 308, it is determined that the main tlb now contains the security descriptor of the tag, and therefore the program proceeds to step 31, where the micro-TLB is loaded with the child containing the descriptor of the physical address portion. section. Since the core 10 is currently being executed in the security mode, the partition detector 2 2 2 does not need to perform any partition check function. 89 200417216 At this point, the process proceeds to step 3 12 where the memory access is performed as described earlier. If the non-secure memory is accessed, the process proceeds from step 3 00 to step 3 20. 'Where a query procedure is performed in micro-TLB 206-a non-security descriptor determines whether the corresponding physical address part exists.' The program proceeds directly to step 336, where the access permission 202 is checked by the access permission series 202. It should be noted at this point that if the body address portion is in a micro-TLB, it is assumed that there is no security violation because the segmentation detector 22 supervises the information before being stored in the micro-TLB. Once the deposit has been checked in step 336, the procedure proceeds to step 3 38, where it is determined whether there has been any access permission error aborted in step 316. Otherwise, the process proceeds to step 3 18 'where the rest of the memory access is performed as described earlier. If no conformant is located in the micro-TLB at step 320, the sequence proceeds to step 322, where a check is performed at the main tlb 208 to determine whether the relevant non-security descriptor exists. Otherwise, the table walking logic 210 executes a paging table walking procedure at step 3-24. Wear the necessary non-security descriptors from the non-security paging table to the main 8. At this time, the program proceeds to step 326, or directly from step 322. Walk to step 326. If at step 322 see the meeting partner at the main TLB 208. In step 326, it determines the effective additional non-security descriptor of the currently considered virtual address in the main TLB, and then the step 28 28 segmentation detector 222 checks from (the rest of the entities in the descriptor to 0 in the descriptor. If it can be logically countered, it can be effectively obtained: reverse, the sequence is discussed, the process is translated, and the TLB is entered. The examination is at the address 90 200417216. In the record, on line 220, the line, the mode cut, the security check, and the full-generation) memory have accessed the non-secure memory. V: The physical address generated by the virtual address will be the secure memory. Set in the '... that is, if the physical address is completely violated, a bit-then [in step 33, it decides «222 ^, and the procedure proceeds to step 332, in which an alarm 14 is issued by the divider 222 / Non-women's sexual error aborted. However, if the detector logic 222 decides that there are no security violations, the program proceeds to step 3, step 334, where the miCro-TLB is loaded with a sub-portion of the relative descriptor containing the body address portion. Then, in step 336, the memory access is performed in the same way as described above. Referring to Figure 40, super | τ ^, the following describes the processing of directly issuing a memory request for a physical address. As I & ^ You Yi was enchanted, in this process, MMU 200 will, most of all: be achieved by logging in to a related login β of an MMU enable bit, the setting procedure is executed by the monitoring mode . Therefore, at 350 V, the core 10 will generate a physical address that will be transmitted to the MPU via path 236. Then, in step 352, the Mpu checks that the requested memory access can be performed in the existing operation mode, that is, user supervision, and so on. In addition, if the core is operating in non-security ', whether or not the physical address is in non-security memory, in step 352, the analyzer 222 will also check whether the physical memory is in non-security mode. Then, in step 354, it is determined whether there is a violation, that is, whether the access permission procedure has disclosed a violation, or if in the non-security mode, the partition check procedure has renewed a violation. If any of these violations occur, the program proceeds to step 356, where it is stopped by Mρυ 220 an access permission error. I will understand that in some embodiments, 91 200417216 makes no difference between a type of suspension, while in alternative embodiments, 'the suspension 仏 number can refer to whether it is associated with _ access permission error or A security error. If no violation is detected in step 35.4, the process proceeds to step 358, where memory access occurs to the location identified by the physical address. In the preferred embodiment, only the monitoring mode is arranged to generate the physical address directly, and therefore in all other cases, as described earlier, the MMU 200 will be enabled and the virtual address generation from the memory access request will occur The physical address. Figure 38 illustrates an alternative embodiment of the memory management logic, in which all memory access requests specify a virtual address, and therefore a physical address is not directly generated in any mode of operation. In this process, I will understand that there is no need for another MPU 220, and conversely, the segmentation detector 222 can be incorporated into the MMU 200. This change happened quietly, and the procedure was performed in exactly the same manner as discussed earlier with reference to Figures 37 to 39. I will understand that various other options are also possible. For example, assuming that a memory access request can be issued by the security and non-security modes of a specified virtual address, two MMUs can be provided, one for security access requests, and one for non-security access requests, that is, in Mpu 22 in Figure 37 can be replaced with a complete MMU. In this case, a flag used with each mmu's primary TLB may not be needed to define security or non-security. When an MMU stores non-security descriptors in its primary TLB, and another An MMU stores security descriptors in its main TLB. Of course, we still need to split the detector to check if the core is intent to store when the core is in a non-secure domain: ^ \, pre-fetching full memory. If, optionally, all ancient addresses, an all memory access request directly specifies the entity's interpretative bolus I, ancient main inflammation, $ 从 from using two MPUs, one for security access β month demand And—for non-security MPU sexual access requests. For non-secure access requests, J has committed other accesses that are supervised by the security_sec 14 partition detector. Μ Allow access to secure memory in non-secure mode. Any of the arrangements in Figure 3 8 can provide further features, and can be arranged to perform some segmentation checks to monitor the activities of S walking logic 2 10. In particular, # 果 Core is now operating in the security domain, and it can arrange segmentation detection E 222 for inspection T eight translation tables walking logic 210 attempts to access a page table, which access non-security + W eight 15 * Taxi page table instead of security paging table. If a violation is detected, it is best not to generate a stop signal. Because the translation table walk logic 210 usually performs a paging table query by combining a paging table base address with certain bits 70 of a virtual address issued by a memory access request, the segmentation detection may / step and For example, the check translation table walk logic 2 i 0 uses a base address of a non-secure paging table instead of a base address of a secure paging table. FIG. 41 illustrates a procedure executed by the partition detector 222 when the core is operating in a non-security mode. I will understand that under normal operation, the interpolations obtained from the non-secure page table should describe only one page mapped in non-secure memory. However, in a software attack order, the descriptor may be tampered with so that it now describes a portion of the non-secure and secure area containing memory. Therefore, considering one of the examples in Figure 4, the tampered non-security descriptor can cover a page, which includes the non-security area 93 200417216 domains 370, 372, 374, and security areas 376, 378, 38. If the virtual address issued as part of the memory access request now matches a physical address in a secure memory area, such as the secure memory area 3 7 6 shown in Figure 41, then a split detection is arranged The device 2 2 2 generates an abort to prevent access from occurring. Therefore, even if an attempt to access the secure memory has tampered with a non-feminine descriptor, the partition detector 2 2 2 prevents that access from occurring. In contrast, if the physical address derived using this descriptor is consistent with a non-secure memory area, for example, area 374 shown in Figure 41, the access control information loaded in the micro-TLB 206 is only confirmed The non-security zone 3 74. Therefore, access in the non-secure memory area 374 can occur, but access to any of the security areas 376, 37, or 38 cannot occur. Therefore, it can be seen that even though the main TLB 2008 may contain descriptors from tampered non-secure paging tables, the micr0 TLB will only contain the physical address part, which will enable the Access 0 As mentioned earlier, in an embodiment, the non-secure mode and the security mode can generate a memory access request for a specified virtual address, and then the memory preferably includes one of the non-secure memory. Non-security paging table, and a security paging table in security memory. When in the non-security mode, the translation table walking logic 21 will refer to the non-security paging table, and when in the security mode, the translation table walking logic 21 will refer to the security paging table. Figure 42 illustrates the two-page table. As shown in FIG. 42, unsafe memory 39, which may be in, for example, external memory 56 shown in FIG. 1, includes one of the unsafe paging tables 395, which refers to a base address 397 at 94 200417216 A CP15 login ~ It can be in the first time again ... Similarly, in the security memory 400, the security page of the memory page 56 provides a copy corresponding to a copy # P 5 which consists of a security Pagination table base address 407 CP15 of your abdominal table, every description, ^ 疋. In the non-secure page table 395 W Μ will all point to a corresponding non-female full page in the non-secure page 390, and the parent-descriptor, The righteous girl ’s holistic memory 400 has A miscellaneous pages # ,, τ 旳 corresponding to the female ’s holistic page. In addition, the description of the feelings for some areas, including the θ memory area 410, which may not be shared, can be accessed by non-female holistic mode and security mode. The preferred embodiment details the query procedure performed in the main tlb 208. As mentioned previously, the main TLB 208 includes-a domain flag 425 'which confirms whether the corresponding descriptor 435 is from a security paging table or a non-security paging table. It ensures that when the look-up procedure is executed, only descriptors related to the specific domain where the core 10 operates are checked. Figure β illustrates an example in which the core is implemented in a security domain, also known as a security scenario. It can be seen from Figure 43 that when a main TLB 208 query is performed, it will cause descriptor 440 to be ignored, and only descriptor 445 will be identified as a candidate for the search procedure. In accordance with a preferred embodiment of the present invention, an additional program ID flag 43, also referred to herein as the asid flag, is provided to confirm the descriptor from the program-specific paging table. Therefore, the programs P1, P2, and P3 each have a corresponding paging table provided in the memory, and further, there can be different paging tables for non-security operations and security operations. In particular, I will understand that programs PI, P2, and P3 in the security 95 domain can be completely independent of programs PI, P2, and P3 in the non-security domain. Therefore, as shown in Figure 43, in addition to checking the domain, when the primary TLB query 208 is required, the Asid flag is also checked. Therefore, in the example in FIG. 43, in the security domain, the program P1 is executed, and the search program confirms that only two items 450 are in the main TLB 208, and is based on whether there are virtual address parts in both descriptors. The virtual address part issued by the body access request generates a hit or a miss. ^ If there is, then the relevant access control information is intercepted and passed to the micro-TLB 206, access permission logic 20 and the region attribute logic 204. Otherwise, a discrepancy occurs, and the translation table walk logic 21 is used to intercept the required descriptors from the paging table provided to the security program P1 into the main TLB 208. Those skilled in this art will understand that there are many techniques for managing the contents of TLB, and therefore when a new descriptor is intercepted to be stored in the main TLB 208, and the main TLB is already full, you can use any of the most known techniques Decide which descriptors to remove from the main TLB, to make room for new descriptors, such as the most recently used method, etc. So I will understand that the safety core of the safety mode for operation can be: End: It develops independently of the non-safety operation department. However, in some cases, the development of non-women's holistic operating systems can be closely linked, and in this case, it is' suitable to allow security applications to use non-security profiles, 2, which will allow security Sexual applications use only known virtual addresses to direct non-secure data (to share). Of course, it is assumed that security virtual mappings and holistic virtual mappings can be performed by specific ASIDs. The non-security descriptor is executed in the more separated security control registration, which can only be obtained by the security at the actual address. The non-security transmission value is as described in the parameters, which is defined by the core control and preferably can be defined for each Domain attribute examples' areas of memory are part of the domain. Pre-import tags are required (ie, domain flags) to identify between security descriptors. Conversely, all available queries in the TLB. In the preferred embodiment 'The architecture of the main TLB and the architecture of the previous global and non-security descriptors can be set by the specific bit provided in. This bit is set in the core of the preferred embodiment. In the security application, it is allowed to directly use a non-secure. It may also enable the non-secure stacking indicator from the security domain. It is enough to copy the non-secure stacking indicator to the CP15 registration 34. At this time, it will be applied according to the plan understood by women's holistic applications. As mentioned earlier, the memory may be partitioned into non-security and secure and the partition is registered using cpi5, which is dedicated to the partition detector 222. The basic partitioning method is based on access permissions in a typical Mpu area. Therefore, dividing the memory into most areas can use its base address, size, memory attributes, and storage area. In particular, when designing overlapping areas, Has the highest priority on the Internet. In addition, according to the present invention, a new area attribute is used to define whether the corresponding area is in or in non-secure memory. It is defined by the security core usability to be used as secure memory. In the CP15 description of the memory and protection of the body, sexual assault becomes safe and promotes the stacking of the whole nature. 16

In the startup phase, a first partition is performed as shown in FIG. 44. This initial partitioning will determine the amount of memory 460 to be distributed to non-security scenarios, non-security operating systems, and non-security applications. This number is consistent with the non-security area defined in the segmentation. This information is then used by non-secure operating systems for its memory management. The remaining memories 462, 464 (defined as secure) are not known to non-secure operating systems. To protect the integrity of non-secure contexts, non-secure memory can be designed to allow access only to the security permission mode. Therefore, security applications will not be tampered with by those who are not secure. As shown in FIG. 44, after the boot-up phase is divided, the memory 460 can be used for non-security operating systems, the memory 462 can be used for security cores, and the memory 464 can be used for security applications. Once this boot phase partition has been performed, the memory map of the non-secure memory 460 is handled by the non-secure operating system using the MMU 200, and thus a series of non-secure pages can be defined in a unified mode. As shown in Figure 45.

If a security application needs to share memory with a non-security application, the security core can change the permissions of a part of the memory to transfer fake data from a domain to others. Therefore, as shown in Figure 46, the security core can change the permissions of the non-secure page after checking the integrity of the non-secure page so that the security page 466 becomes accessible shared memory. When the memory partition is changed, mici * o-TLB 206 needs to be cleared. Therefore, during this process, when a non-secure access occurs thereafter, a discrepancy will occur at the micro-TLB 206, and therefore a new descriptor is loaded from the main TLB 208 98 200417216. The new descriptor is checked by MPU's segmentation detector 222 afterwards. When it is intended to intercept it to micr0_TL] B 206, it will be consistent with the new segmentation of the memory. In the preferred embodiment, this fast Taking 3 8 is a virtual index and a physical addition. Therefore, when an access is performed in the cache 38, a query has been performed in the micro-TLB 206 first, and therefore access permissions (especially security and non-security permissions) will be checked. Therefore, the security data is stored by the non-security application in the cache, and therefore, access to the security data cannot be performed in the non-security mode. However, for non-secure domains, a problem that can arise for security applications is being able to use # 七 (invalidate), clear or remove the house. Gan Tai Ding Void, ~ I *, take eight and ensure that this will affect the security of the system. Example &,. ^ ^ Because staying awake for a long time. For example, if the non-security 痨 cache 38 without clearing it, the system wants to replace the 刖, any outside write any safety-contaminated The thought must be added to the cache, and treated differently from the male sex. It is enough to perform the operation in a preferred embodiment, such as Li Shi-a non-a result from a non-literate program address as a "cache line" operation, a track "compliance by the knife cutting detector 222 obituary" Address, and if the cache line is a loyal a & check physical female all-purpose cache line, in your preferred embodiment, a non-safety or even bower I will be used as the cache line "Operation becomes all" null "performed by the emperor on the basis of intentional-non-safety procedures. Similarly, the "P" operation becomes the "r ,,", and the operation "operation, so as to ensure the security of the system. In addition, referring to the first figure, the micro-TLB 206 controls any access of the DMA 32 to the TCM 36. Therefore, when the DMA 32 performs a query in the TLB to convert its virtual address into an entity, the previously mentioned flags added to the main TLb allow the required security checks to be performed as if they had been issued by the core 10 Access request like. In addition, as will be discussed later, a copy is connected to the external bus 70, preferably in an arbiter / decoding block, so that the DMA 32 can be stored directly by the external bus interface 42 When the memory connected to the external bus 70 is fetched, the copy division detector connected to the external bus 70 checks the validity of the access. In particular, in a preferred embodiment, it is possible to add a bit to the CP15 login 34 to define whether the DMA controller 32 is available for non-secure network domains. When operating in a permission mode, the Bits are only allowed to be set by the security core. Considering TCM 36, if security data is placed in TCM 36, it must be handled with care. As an example, imagine a journey in which a non-secure operating system designs a physical address range for the TCM memory 36 so that it overlaps an external security memory portion. If the mode of operation is changed to a security mode later, the security core may cause the data to be stored in the above-mentioned important part, and the data is usually stored in the TCM 36, because the TCM 36 usually has higher priority than the external memory. If the non-secure operating system later changes the physical address space setting for TCM 36, so that the previous security area is now mapped to the non-secure physical area of the memory, I will understand that at this time the non-secure operating system can The security data is accessed because the segmentation detector will treat the area as non-secure and will not announce a 100 200417216 suspension. So, in short, if T CM is set to function as normal local RAM instead of SamrtCache, if it can move the TCM-based login to the non-secure entity address, it may allow non-secure operating systems to read Get security situation information. To prevent the above process, in the preferred embodiment, a control bit is provided in the CP15 login 34, which can only be accessed during security mode operation, and two possible architectures are provided. In a first architecture, the control bits are set to ,, i ", where the TCM can only be controlled by the security permission mode. Therefore, any non-secure access to the TCM control intention in cpi5 34 will be Caused to enter an undefined instruction exception. Therefore, in the first architecture, both the security mode and the non-security mode can use the TCM, but the TCM is controlled only by the security right and limited mode. In the second architecture, Set the control bit to 0, where the TCM can be controlled by a non-safety operating system. In this case, the TCM can only be used by non-safety applications. No security data can be loaded from the TCM or Stored in the TCM. Therefore, when performing security access, do not perform a query in the TCM to find out whether the address matches the TCM address range. By default, the imagination can only be made by non-security providers. In the course of using TCM '纟, it is necessary to change the non-safety operating system. As mentioned previously, in addition to providing a segmentation detector 222 at the MPU 22, the preferred embodiment of the present invention also provides a similar segmentation. Check The block is connected to an external bus 70, and this additional segmentation detector is used to monitor it: it also controls the access of the device to the memory, and it is directly connected to the digital signal processor (DSP) 50. DMA controller to external bus, gold energy bill that can be used as a recorder for device placement via 101 200417216, etc. The body fluid interface bus interface 42 is connected to the dma controller 32 of the external bus, etc. In some embodiments, as will be discussed later, it is possible that only one cut detection block is connected to the external bus without providing a sub-detector as part of the Memory Tube® Logic 30. In some such cases In the embodiment, a selective provisioning-segmentation detector is used as the memory management logic 30-part. In such examples, the segmentation detector is regarded as one of the provided in addition to the one connected to the loading bus. Further segmentation detection. As mentioned earlier, all memory systems can contain most memory sheets, and the above mentioned types can exist on external buses 7 such as external memory 56, boot ROM 44, or real 48, 62, 66 in the buffer or register in the peripheral device, for example, screen driver 46, 1 / 〇 interface 60, key storage unit 64, etc. In addition, different parts of the memory system may need to be defined as secure Sexual memory, for example, may require the key buffer memory 66 in the key store 64 to be considered a security memory. If a device connected to an external bus intends to access the security memory, it is clear that Providing the previously described memory management logic 30 in a chip containing core 10 will not be able to supervise such access. Figure 47 illustrates how to use the additional connection to an external bus (also referred to herein as a bus) Segmentation detector 492. This external bus is usually arranged so that whenever a device (e.g., devices 470, 472) issues a memory access request, it will enter the above external bus. The memory access requests also include certain signals on the external bus that define the mode of operation, such as permissions, users, and so on. According to the preferred embodiment of the present invention, the 2004 200417216 memory access request also involves sending a domain signal to the external bus to confirm whether the device is operating in a security mode or a non-security mode. It is best to signal the network domain at the hardware level, and in the preferred embodiment a device capable of operating in a secure or non-secure network domain will include a preset pin for outputting the network Domain signal to the path in the external bus 490. To describe it, on the external bus, this path 490 is shown separately from the other signal path 488. The domain signal (also referred to as " S bit " in this article) will confirm whether the device that issued the memory access request is operating in a secure or non-secure domain, and a split detector connected to an external bus 4 9 2 receives the information. The segmentation detector 492 will also have access to the segmentation information, confirming that the area of the memory is secure or non-secure, and can therefore be arranged to allow only one device to access the particular memory. In part, if the S-bit is declared to confirm a security mode operation. By default, imagine that the s-bit is not declared, and therefore a pre-existing non-security device (such as that shown in Figure 47). The indicated device 472) will not rotate a declared S bit, and therefore it is never allowed to access any security part of the memory by the split detector 4 9 2, whether it is on the screen driver 480, the turn-in output interface Register in 484 or in buffer 482, M6, or in external memory 474. For the purpose of description, it is used for memory access request issued by a master device (such as device 470, 47 2). Arbitration The arbiter block of er is explained by decoder 478 independent of the appropriate memory device used to determine the service memory access request and independent of the segmentation detector 492. However, 103 200417216, I will understand One or more can be integrated in the same unit, if desired.

Figure 48 illustrates an alternative embodiment in which the segmentation detector 492 is not provided, and instead each memory device 474, 480, 484 is arranged to monitor its own memory access based on the value of the S bit. Therefore, if the device 470 is to declare a memory access request to a login 482 in the screen driver 480 marked as secure memory in the non-security mode, the screen driver 480 will determine the S bit Undeclared, and the memory access request is not processed. Therefore, it is conceivable that with the appropriate design of various memory devices, it is possible to avoid the need to provide a separate detector on the external bus 492 ° In the above content of Figure 47 and Figure 48, the "Sbit" is The device for confirming that the memory access request is operated in a secure domain or a non-secure domain. Viewed from another perspective, the S bit can be regarded as indicating that the memory access request belongs to the secure domain. Or non-secure domain.

In the embodiments described in Figures 37 and 38, a single MMU (combined order-component page table) is used to perform virtual-to-physical address translation. In this way, the physical address space is usually divided between non-secure and secure memory in a simple pattern as shown in Figure 49. For one of the memory units in a memory system, the physical address space 2 1 00 contained in this article starts at address zero and extends to address Y, for example, external memory 56. For each memory unit, the addressable memory is usually divided into two parts, a first part 2 110 is allocated as non-secure memory and a second part 2 120 is allocated as secure memory. 104 200417216 In this way, I will understand that there are certain physical addresses that cannot be accessed by specific domains, and that such differences will be very obvious to the operating systems used in those domains. The operating system used in the secure domain will know the existence of the non-secure domain, and therefore will not care about it. The operating system in the non-secure domain should preferably not need to know the existence of the secure domain. , However, the opposite should be done as if not in a secure domain. In a further issue, I will understand that #security operating system knows that the address space of external memory starts at address zero and extends to address X, and the non-secure operating system does not need to know anything about the security The core of sex, and especially the existence of security memory extending from address χ + 1 to address Y. Instead, the security core will not know that its address space starts at address zero, which is usually not what one would expect from an operating system. An embodiment that alleviates the above-mentioned concerns, by allowing a secure memory region to be completely unknown to a non-secure operating system having its physical address space, and by enabling a security kernel and a security domain A non-secure operating system in the security domain to know that the address space of external memory starts at address zero, as shown in Figure 51. Here, the physical address space 2 2 0 can be cut into secure or non-secure blocks at the paging level. In the example shown in Figure 51, the address space of the external memory shown is cut into four blocks 2210, 2220, 2230, and 2240, which contain two secure memory regions and two non-secure memories. Body area. Instead of converting between the virtual address space and the physical address space by -single-page table conversion, perform two separate layers of address translation according to a first page table and a second page table, thereby importing An overview of the intermediate address space is based on whether the processor is in a secure domain or a non-secure domain, which can be used for different women's volleyball teams. In particular, as shown in FIG. 51, the two security memory areas 2210 and 2210 in the physical address space are described by using the description provided in a security page table in the group page table 2250. In 223〇 Yuse multi-sentence jh maps the pn $ hate space to a single region 2265. For the operating system subscribed on the processor, it will regard the intermediate address space as the physical address space, and will use the MMU to transform the virtual address into the intermediate address space in the intermediate address space. Similarly | 'Able to set an intermediate address space 2270 for non-secure domains, where drumming, a τ error is caused by the "tilt block character" in a non-secure page table of the component page table 2250 will be in the physical bit The two non-secure memory regions 2220 and 2240 in the address space are mapped to the non-secure region 2275 of the non-secure network domain. In one embodiment, as shown in FIG. 5A, the virtual address is Address-to-physical address translation is controlled using two independent MMUs. The MMUs 2150 and MMUs 2170 in FIG. 50A can be regarded as constructed in a similar manner to the MMU 200 shown in FIG. 37, but some details have been omitted to simplify the description. The first MMU 2150 includes a micro-TLB 2155, a main TLB 2160, and translation table walking logic 2165. Similarly, the second MMU 2170 includes a micro-TLB 2175, a main TLB 2180, and translation table walking logic 2 1 8 5. The first MMU is controlled by a non-secure operating system when the processor is operating in a non-secure network domain, or is controlled by the security core when the processor is operating in a secure network domain. However, in the preferred embodiment, 106 200417216, the second MMU can only be controlled by a security core or a monitoring program. When the processor core 10 issues a memory access request, it will issue a virtual address to micr0TLB 2155 via path 2153.茁 ⑺ 2 1 5 5 will store some virtual address parts, which correspond to the middle address part intercepted from the descriptor stored in TLB 2 1 60. The descriptor at main 2 160 is a paging table taken from a paging table associated with the first MMU 215. If one is detected in micr0-TLB 2 155, micro-TLB 2155 is able to issue an intermediate address corresponding to the virtual address received by path 2 1 5 3 via path 2157. If there is no match in micro-TLB 2155, reference will be made to the main 2160 to see if a match is detected in the main TLB. And if any, 'the virtual address part and the corresponding intermediate address part micro-TLB 2155 will be intercepted, and then the intermediate address can be mapped via path 2157. If there is no match between micro-TLB 2155 and the main TLB 2160, the translation The table walk logic 2165 is used to issue a request for a predetermined table of a first set of page tables of one of the required descriptors accessed by the first MMU 2150. In general, there may be paging tables for individual programs related to the security domain or non-sex domain, and the intermediate addresses of these paging tables will be accessible by the translation table walking logic 2 1 6 5 such as from cp 1 5 Proper login in 34. Therefore, the translation table walking logic 2165 is able to issue an intermediate address at path 2 1 67 to request a token from the appropriate paging table. Arrange the second MMU 2170 to receive the translation table via micro-TLB 2155 on path 2157 or via path 2167. The path -TLB is the main TLB group. One sign from any pageable security base login via description receiving logic 107 200417216 2165 any intermediate address output, and if a match is detected in micr0-T] LB 2175, then miCr0_TLB can pass the path 2 丨 92 sends out the physical address to §memory body to intercept the required data through the data bus 2 190. If an intermediate address is sent via path 2 丨 5 7, the required data will be sent back to core 1 0, and for an intermediate address sent via path 2 1 7, this will return the required descriptors. Go to the first MMU 2150 for storage in the main TLB 2160. If there is a discrepancy between micro-TLB 2175, it will refer to the main tlb 2180 'and if there is a match in the main TLB, it will return the required middle address part and the corresponding physical address part to micro-TLB 2 1 75, This causes micro-TLB 2175 to issue the required physical address via path 2 1 92. However, if there is no match in micro-TLB 2175 or main TLB 2180, then the translation table walk logic 2 丨 8 5 is output from the relevant paging table via path 2 1 9 4 to request the required descriptors, and the relevant paging The table is in a second component page table of a page table associated with a second MMU 2 1 70. The second set of page tables includes a descriptor that associates the middle address portion with the physical address portion, and usually has at least one page table for secure domains and one page table for non-secure domains. When a request is made via path 2 1 9 4 it will cause the relevant descriptors to be passed back from the second set of page tables to the second MMU 2170 for storage in the main TLB 2180. The operation of the embodiment described in Figure 50A will now be further explained by the following special cases, where the abbreviation VA refers to a virtual address, ία refers to an intermediate address, and PA refers to a physical address. 1) The core issues VA = 300 [IA = 5000, PA = 7000] 108 200417216 2) A discrepancy is found in the micro-TLB of MMU 1 3) A discrepancy is found in the main TLB of MMU 1 Paging Table 1 Base address = 8000 IA [PA = 10000] 4) Execute paging table query in translation logic of MMU 1 walking table-issue IA = 8003 5) find non-conformance in micro-TLB of MMU 2

6) The main TLB of MMU 2 is found to be inconsistent. Paging table 2 base address = 12000 PA 7) In the translation table of MMU 2 walk logic executes the paging table query-issue PA = 12008 π8000 IA = 10000 PA "is returned as the paging table data

8)-Primary TLB stored in MMU 2

9)-The micro-TLB stored in MMU 2 10) The micro-TLB in MMU 2 now has a hit (hit)-Issue PA = 10003 "3000 VA = 5000 ΙΑ" and return it as pagination table data

11)-Primary TLB stored in MMU 1

12)-The micro-TLB stored in MMU 1 13) The micro-TLB in MMU 1 now has a hit (hit) Issued IA = 5 000 to perform data access 14) The non-conformance found in the micro-TLB of MMU 2 15 ) Inconsistency found in the main TLB of MMU 2 16) Performing pagination table query on the translation table walking logic of MMU 2-Issue PA = 12005

109 200417216 π5000 ΙΑ = 7000 ΡΑΠ returned as pagination table data

17)-Primary TLB stored in MMU 2

18)-Micro-TLB stored in MMU 2 19) Hits found in micro-TLB of MMU 2-Hit PA = 7000 to perform data access 2) Data at physical address 7000 is returned to The next time the core issues a memory access request (called VA 3001 · ..) 1) The core issues VA = 3001 2) A matcher is found in the micro-TLB of MMU 1 and requests IA 500 1 to MMU2 3) at MMU 2's micro-TLB found a match and requested pa 7001 to send it to memory 4) The data in PA 7 001 was returned to the core. I will understand the discrepancy that occurred in the MMU's micro-TLB and the main TLB in the above example, and therefore this example represents the "worst case" journey. In general, it is expected that a conformer is found in at least one of the micro-TLBs or the main TLB, thereby greatly reducing the time to intercept the data and return to Figure 51. In a preferred embodiment of the security area, the physical address is A second set of page tables 2250 is usually provided in a particular area of space. The first group of page tables can be divided into two types, namely, security page tables and non-security page tables. In a preferred embodiment, the security paging tables 110 200417216 will continuously appear in the intermediate address space 22 6 5, as well as the non-security paging tables in the non-secure address space 2 2 7 5. However, they are not continuously placed in the physical address space, and therefore, for example, the security paging table of the first set of tables can be spread across the security areas 2210, 2230, and in a similar manner, non-secure paging tables can be spread across non-security Memory 2220 and 2240 〇As mentioned earlier, one of the main two-tier methods using two sets of page tables can arrange the physical address space for the operating system of the secure domain and the operation of the non-secure domain. Starting at zero, it is usually what the operating system expects. The additional secure memory area can be completed as a non-secure operating system with its own "physical address" space. Because it treats its physical address space as an intermediate address space, it can be regarded as a continuous with intermediate addresses. sequence. In addition, the use of such methods can greatly simplify the processing of memory switching regions between non-secure and secure memory. as the picture shows. As can be seen from Figure 52, a region of the memory 2 3 0 0, such as a single paged memory, can exist in the non-secure memory 2220, and the memory region 2310 can also exist in the security memory region 22 1 0 in. However, the above two memory areas 23 00 and may be easily changed by changing the related descriptors in the second set of page tables, so that area 2300 now becomes a security area which is mapped into the middle address space of the security domain. Area 2 3 0 5 and area 2 3 10 is a non-secure area that maps to the area 2 3 1 5 of the middle address of the non-secure network domain. In the security domain and the non-security domain, it can be paging and the regional advantages are unknown. The arrangement memory is 52%. For example, regional integrity 23 10 is adjusted to change the space completely. 111 200417216 clearly Occurs in the operating system, because from the point of view of the physical address space, it is indeed the intermediate address space of the secure domain or the non-secure domain, respectively. Therefore, the method avoids any redefinition of the physical address space in each operating system. An alternative embodiment of the present invention will now be described with reference to Fig. 50B, which also uses two MMUs, but in an arrangement different from that of Fig. 50A. Comparing Figure 50A and Figure 50B, it can be seen that the arrangements are almost the same, but in this embodiment, the first MMU 2150 is arranged to perform the translation of the virtual address to the physical address, and the second MMU is arranged to perform the intermediate address Translation to a physical address. Therefore, 'contrary to the embodiment of FIG. 50A, the path from the micro-TLB 2155 of the first MMU 2150 to the micro-TLB 2175 of the second MMU 2170 is arranged, and the micro-TLB 2155 of the first MMU directly outputs an entity via the path 2192. Address, as shown in Figure 5B. The operation of the embodiment shown in Figure 50B will now be explained by a special case below. The detailed procedure of the core memory access request is the same as that shown in Figure 5a. 1) The core issues VA = 300 [IA = 5000, PA = 7000] 2) The micro-TLB and main TLB finds a discrepancy. Paging table 1 base address = 8000 IA [PA = 10000] 3) Performs paging table query on the translation table walking logic of MMU 1-issue IA = 8003

4) iA 8003 is found to be inconsistent with the micro-TLB and main TLB of MMU 2.

Base address of pagination table 2 = 12000 PA 112 200417216 5) Execute pagination table query in translation logic of MMU 2-Issue PA = 12008 ”8000 IA = 10000 PA” is returned as pagination table data

6) " 8000 IA = loooo pa "maps the main TLB and micro-TLB stored in MMU 2 7) The micro-TLB in MMU 2 is now translated from step (3) to PA 1 003 and issued a fetch" 3000 VA = 5000 ΙΑ " returns as pagination table data

Please note: This translation is retained in the temporary storage by MMU 1, but not directly stored in any TLB 8) The translation logic of MMU 1 walking logic now issues a request of LA = 5000 to MMU2 9) Micro-TLB and main in MMU 2 TLB finds a discrepancy IA 5000 10) Performs pagination table query in the translation logic of MMU 2-Issue PA = 1200 5 "5000 IA = 7000 PA" is returned as pagination table data 11) MMU 2 stores "500〇ία = 7000 PA " in micro-TLB and main TLB. The translation is also connected to MMU 1. 12a) MMU 2 issues PA = 7000 to access memory

12b) MMU 1 combines "3000VA = 5000 IA", and, '5000 IA = 700 0 PA "descriptor to give one, and 3000VA = 7000 PA" descriptor, which is stored in the MMU 1 The main TLB and micro-TLB 13) The data in PA 7000 is returned to the core 113 200417216 The next time the core issues a memory access request (called VA 3 〇〇 丨) 1) The core issues VA = 3001 2) A match was found in the micro-TLB of MMU 1. MMU i issued a request for PA = 7001. 3) The data in PA 7 001 was returned to the core. From the comparison of the above example provided in Figure 50 A, it can be seen that The main difference here is in step 7, where MMU 1 does not directly store the first table private descriptors' and in step 12b (12a and 12b can occur simultaneously) where MMU 1 also receives IA-> PA translation and combines and Its TLBs store the combined descriptors. Therefore, we can understand that when the alternative embodiment still uses two sets of page tables to convert the virtual address to the physical address, it is actually a match

When the micro-TLB 2155 or the main TLB 2160 occurs, the micro-TLB 2155 and the main TLB 2160 store the translation of the virtual address to the physical address to avoid the need to perform queries in the two MMUs. In this case, the first MMU can control the request directly from the core without having to refer to the second MMU. I will understand that being able to schedule the second MMU 2 170 does not include micro-TLB 2175 and main TLB 2180, of which the paging table walking logic 2185 is used for every request that needs to be controlled by the second MMU. It can save complexity and consumption for the second MMU, and can accept the assumption that only a relatively small number of second MMUs are needed. Because each request will require the use of the first MMU, usually the first MMU 2150 includes the micro-TLB 2155 and the main 114 200417216 and the TLB 2160 is more advantageous to improve the operating speed of the first MMU. It should be noted that the pages in the paging table can be resized, and thus there may be two halves of the translated descriptors associated with pages of different sizes. In general, the paging of MMU 1 is smaller than the paging of MMU 2, but this is not necessary. For example: Table 1 maps to 4Kb at 0x40003000 to 0x〇〇〇81〇〇〇 Table 2 Maps to 1Mb at 0x00000000 to 0x02000000 Here, the smallest of the two sizes must be used in conjunction with translation, so the binding descriptor is at 0x40003000 4Kb mapped to 0x〇2081000 However, the exchange of data between contexts (as described previously with reference to Figure 52) may be reversed, for example: 4Kb Now, query the given mapping from the core at one of the addresses Oxc0042010: 4Kb at 0xc0042000 to 0x2042042000 That is, the smallest of the two sizes is always used to combine the mappings. Please note that in the second case, the processing is less efficient because the descriptor (1Mb) in Table 1 will be searched and discarded repeatedly when accessing different 4Kb regions. However, 'in a typical system, in most cases, the 115 200417216 descriptor of Table 2 will be larger (as described in the first example), which is more efficient (capable of mapping 1 Mb to point to the appropriate portion of the IA space). The other 4 Kb pages are used again). As shown in Figures 50A and 50B, using the selective method of two separate MMUs, a single MMU can be used in Figure 53. When a discrepancy occurs in the main TLB 2420, an exception is generated by the MMU (which makes the software in core 1 〇 is performed to generate a virtual-to-physical address translation based on a combination of descriptors from two different sets of paging tables. In particular, as shown in Figure 53, the core 1 〇 and

MMU 2400 link (which includes a micro-TLB 2410 and a primary TLB 2 4 2 0. When core 10 issues a memory access request, the virtual address is provided via path 2 4 3 0 'and if the micro-TLB When a match is observed, the corresponding physical address is directly output via path 2440, so that the data is returned to core 1 via path 2450. However, if there is a discrepancy in micr0 TLB 2410, then refer to the main TLB 2420 and If the relevant TLB is included in the main TLB, the relevant virtual address part and the corresponding physical address part are intercepted to micro_TLB 2410. After that, the physical address can be issued via path 2440. However, if the main TLB also generates a discrepancy Otherwise, an exception is generated and sent to the core via the path 2422. The processing after receiving such an exception in the core will be further described with reference to FIG. 54. As shown in FIG. 54, if the core If a TLB non-conformity is detected, the core enters the monitoring mode with a preset vector for the abnormality in step 25 10. At this time, it will bring the paging table into line with the executed code. And to perform the rest of the steps shown in Figure 54. In particular, in step 2520, the virtual address is issued via path 2430 and intercepted in the micro-TLB 241 〇 and the main TLB 2420. 116 200417216 payer (Hereinafter, Lord Zhu · Mi # is the faulting virtual address), and after that, you will find the following: according to the middle base address of the appropriate form in the first set of forms, in the second place 5 3 0 1 / 2_α & — D j υ The step determines the intermediate address of the first descriptor required. Once the intermediate address is determined (usually using some kind of prediction of the virtual address and the intermediate base address. Again ,,, Q combined), and then refer to the related table in the second set of tables to obtain the corresponding physical address for the first descriptor. Thereafter, in step 2550, the first descriptor can be obtained from the memory to determine the error virtual The middle address of the address. Then, in step 2560, refer to the second table again to find the second descriptor to give the physical address for the middle address of the wrong virtual address. Thereafter, in step 2570, retrieve the Second descriptor to get false virtual The physical address of the address. Once the above information has been obtained, the program merges the first and second descriptors to generate a new descriptor with the required virtual address-to-physical address translation, step 2585. Perform this step. In a similar way as previously described with reference to Figure 50b, the software performs the merge again, using the smallest page-table size for the combined translation. Thereafter, in step 2590, this is stored in the main TLB 2420 The new descriptor, and the program returns from the exception at step 2595. Thereafter, the core 10 is scheduled to issue a virtual address again for the memory access request via the path 2430, which will still generate a non-conformance in micr0-TLB 2410, but will now generate a conformant in TLB 2420. Therefore, the virtual address part and the corresponding physical address part can be intercepted to the micro-TLB 2410. After that, the micro_TLB 2410 can pass the path 117 200417216 2440. When the MMU works, the authority of the processor, the result of the management, management and retrieval. It is used for a cache and a search for security. It can be used for segmentation, so that the required information can be transmitted back to the core 10 via the route 2450. Bu will understand that in the embodiment described in Figure 50A and Figure 50B, by using the principle described above with reference to Figure 53 and Figure 5 It depends on whether one or two of the MMUs in the above embodiment use two as shown in Figure 5ΠΔ si A or 50B, or as shown in Figure 53; ia Tingbu slave uses an MMU when operating in monitoring mode The fact that the processor manages a group of page tables (or, optionally, in a security mode) only #) ensures that the page tables are secure. As a result, when the device is in the non-secure domain φ ^. 埤, it can only see the non-secure memory because when it is in the non-secure branch Ag | ijb 1. All you can see-the group page table creates an intermediate address space for non-secure domains. It is not necessary to provide a segmentation detector as the memory shown in the first figure, the σ 卩 of °. However, sub-testers are still provided on the external buses to monitor the presence of other bus masters in the system. In the embodiments previously discussed with reference to Figures 37 and 38, references to MMU 2000 are provided. The partition detector 222, and therefore when access is to be performed in the 38, the access permission has already been performed in micro-TLB 2006 and therefore the access permission has been checked (especially for security and non-sexual rape) . Therefore, in such an embodiment, the security data cannot be stored in the non-security response. Access to the cache 38 is performed under the control of the split detection performed by the detector 222 'and therefore in non-secure mode. 118 200417216 However, in an alternative embodiment of the present invention, the segmentation detector 222 is not provided for monitoring access by the system bus 40. On the contrary, the data processing equipment has only one connected to the external bus 70. 'Single Detector Detector' is used to control access to the memory unit connected to the external bus. In such embodiments, at this time it means that the processor core is able to access any memory unit directly connected to the system bus 40, such as tCM36 and cache 3 8 'without having to oversee the external partition detector These accesses, and therefore some mechanisms are needed to ensure that the processor core, when operating in a non-secure mode, 'does not access non-secure data accesses in the cache 38 or TCM 36. FIG. 55 illustrates a data processing device according to an embodiment of the present invention, in which a mechanism is provided to enable the cache 38 and / or the TCM 36 to control access to it without the need to provide a correlation with the MMU 200. Any split check logic. As shown in Figure 55, the core 10 is connected to the system bus 40 through MMU 200, and the cache 38 and TCM 36 are also connected to the system bus 40. The core, 10, cache 38 and TCM 36 are connected to the external bus 70 through the external bus interface 42, which includes a single address bus "M,-control bus 2630 and a data bus 2640, such as This is shown in Figure 55. The core 10, MMU 200, cache 38, TCM36, and external bus interface 42 can be considered as a single device connected to the external bus 70, as a device bus, and other devices. It can also be connected to the above-mentioned device bus, such as the safety peripheral device 47 or the non-security peripheral device 472. Also connected to the device bus 70 is one or most memory units, such as the external memory 56. In addition, A bus control unit "M 119 200417216" is connected to the device bus 70 and usually includes an arbiter 2652, an encoder 2654, and a split detector 2656. For a general discussion of the operation of the components connected to the device sink, reference should be made to the previously described ^ Figure 'The arbiter, decoder and segmentation detector are shown as a single block' but should be placed in a single control block 2 6 At 50 o'clock, these components work in the same way. The MMU 200 in FIG. 55 is further detailed in FIG. 56. Comparing Figure 56 with Figure 37, you can see MMU 200. It is constructed in exactly the same way as MMU in Figure 37, the only difference is that the detector 222 is not used for monitoring the path between the main TLB 208 and micro 206 242 data transmission. If the processor core issues a memory access request specifying a virtual address, the memory access will then bypass the MMU 200 and process the micro-TLB 206 as described earlier in Figure 37 to output a physical bit via path 238 Address to system row 40. Conversely, if the memory access request directly specifies a physical entity, this will bypass MU 2 0 0 and directly route to the system bank 40 via path 2 3 6 ^ In one embodiment, only when the processor is in the monitoring mode Intermediate time 'generates a memory access request that directly specifies the physical address. Recalling the previous description of MMU 200, and especially Figure 43, the main TLB 208 will contain some descriptors 435, and a domain flag 4 2 5 will be provided for each descriptor to determine whether the corresponding descriptor is self-contained. Security paging table or a non-security paging table. The above descriptor and associated domain flag 425 are described in MMU 200 in FIG. 55. The area of a streamline% 47 is the same by sending a request with a split-TLB 10, from the bus L address, the description of the bus operation to the 435 profile 120 200417216 Tian core w issued-when the memory access request The physical address of the access request is output to the system bus ... At this time, cache 38 will execute the query process, and ^ data items are stored in the cache. As long as the cache is not = m μ, the data item belonging to the access request is not in error. The cache invitation is taken: Take the first line filling (Hnefiii) process 4 to retrieve the data from the external memory 5 ′. Data items belonging to a memory access request. In particular, the cache will be borrowed from the EBI 42 output-line fill request to the control bus 2630 of the device bus 70, and the initial address will be output to the address bus 2620. In addition, a HpRot signal will be output to the control bank 2630 via a path ^ 2, which will include a domain signal indicating the core operation mode when a memory access request is issued. Therefore, the line fill procedure can be viewed as the propagation of cached raw memory access requests to the external buses. The HPROT signal is received by the segmentation detector 2656, and it is thus confirmed whether the segmentation detector, when an external memory access request is issued, installs the specified data requested from the external memory 56 (in this case, the device and Core 10 and cache 3 8 work together) to operate in a secure domain or in a non-secure domain. The split detector 2656 will also access split information that confirms whether the memory area is secure or non-secure, and can therefore determine whether the device will allow access to the data it requested. Therefore, if the domain signal in the HPROT signal (also referred to as the S bit in this article) declares that access to the data is requested by the device, then when operating in a security mode, it is capable of Arrange the partition detector to only allow a device to access a security portion of the memory. 121 417216 If the server has been identified for a long time, the detector decides not to allow the core 10 to access the requested data. For example, Mo 4 u is the hpr〇t signal and it has been confirmed that the core is not in a non-security mode. 6 people Work, but the line filling request attempts to retrieve data from the memory of the female general area in one of the female memory areas, then the segmentation detector 2 6 5 6 sends out a suspension of the power ° ~ to the control bus 2630 (It will be sent back to EBI 42 via path 2636, and Private 1 causes a suspension message to be sent to core 10 via path 2670. However, if the eight S mark signal 2: Cut detector 2656 decides to allow access, it outputs- Data or non-security ... Make sure that the data intercepted from the external memory is returned to the EBI 4 material, and that the S-tag signal passes the path 2634 to the filling process / 42, and sets the flag related to the cache line 2600. Belonging to the line at the same time, the line filling data series 2650 authorizing the external memory 56 to request 38 from the external storage 56 to store the data through the path 2680 via EBI 42 to the cache; the relevant cache line 2 6 0. Therefore, the result of this process is * Barrier | Λ ^ " 6 data item fill cache The selected cache line will be filled with negative material items from the external # @, ^ 隐 体 56, these data items include belonging to ^. 1 〇 The data items of the original memory access request. The items belonging to the "Yiyi" from the core memory access exemption can be selectively returned to the core from cache 38 ~ 'or can be selectively Passed from EBI 42 to core 10 via path 2660 for direct provisioning. Therefore, in the preferred embodiment, the above-mentioned line filling process will cause the original storage of the cache line to occur, and the flag 26 associated with the cache line 〇2 will be set based on the value provided by the split detector 2656, and this flag will then be used by cache 38 to directly control any subsequent access to the item 122 200417216 in cache line 2600. Therefore, if the core 10 then causes a particular cache line 2600 in cache 3 8 to generate a conformant memory access request, the cache 38 will check the value of the relevant flag 2602 and This value is compared with the value of the existing operating mode of the core 10. In the better In the embodiment, a domain bit set by a monitoring mode in the CP 15 domain status registration indicates an existing mode in which the core 10 operates. Therefore, when the processor core 10 is operating in a security operation mode Can be arranged to cache 38 data items that are only allowed in one cache line, which is indicated by the corresponding flag 2602 as security data that can be accessed by the processor core 10. When the core is in a non-security mode During operation, any intent by the core to access the security data in the cache 38 will cause an abort signal via the cache 38 via path 2670. TCM 36 can be set up in a variety of ways. In one embodiment, it can be created like a cache, and the embodiment is arranged to include a majority line 2 6 10, in the same way as the cache 38, each of which has a flag 2612 associated with it . Use exactly the same method as previously described for cache 38 to manage access to TC Μ 3 6 and any τ 〇μ that causes the first-line fill processing to be performed, as a result of which the data will be intercepted to a specific line 26 丨〇, and the segmentation detector 2 6 5 6 will generate the required S-tag value to store the flag 2 6 1 2 associated with the line 2 6 1 〇. In an alternative embodiment, the TCM 36 can be set up as an extension of the external memory 56 and used to store data that is often used by the processor, because the access to the TCM via the system bus is usually less than the external δυ 1¾ Faster access. In such embodiments, TCM 36 does not use flags, 2612, but instead uses a different mechanism to control access to the TCM.兵兵 123 200417216 Yes, as described earlier in this type of implementation, the processor can set a control flag. When executed in a permission loyalty ^ & right ... permission female generality mode indicates that it is memory, Or when executed on at least one non-controlled by the processor controller. From the security mode, the “common mode” can be controlled by the menu, and then set the control flag, and the actual control can be controlled by the permission security mode or non- ^ ^ ^ Khan women's holistic mode. Because it is enough to define an architecture, the TCM can only be controlled when the 4W A driver is used to operate the field processor in a steep mode. In this example, any intent to access the TCM record will result in entry by workers, etc.—undefined command exception. In an alternative architecture, the TCM can be controlled by the processor when the field is in a non-secure mode. In the ^ penetrating embodiment, the TCM is used only by non-safety applications. It is not possible to store any security data or load from. Therefore, when performing a secure access to the host, no query is performed in the TCM to find out whether the address matches the TCM address range. The flow chart of 57M illustrates that when a security program operating on processor core 10 generates a virtual address, it is executed by the device of FIG. 55. First, in step 2705, it is executed in micr0TLB206. The query, and if it generates a match, the micr0TLB checks the access permission at step. Referring to FIG. 56, the program can be regarded as being executed by the Xu logic 202. If one of the micro-TLB queries occurs at step 2705, the main T] LB 208 query at which the non-security descriptor is stored (step 2710). If it produces a discrepancy, then a paging table walking procedure is executed in the first step (as previously referred to in Figure 37, it is just the processing meaning that this is the case. When the security system is registered, the full-scale TCM will perform any non-executive action. A 2730 access does not match the execution of 2715 (124 200417216), where after step 2720, it decides that the main TLB contains a non-security descriptor that is tagged. If a match is generated at step 2710, the procedure proceeds directly to step 2720. Thereafter, at step 2725, the micro-TLB loads the portion containing the descriptor of the physical address', and then at step 273, the micro-TLB checks the access permissions. If an access violator is found in step 2730, the program proceeds to step 2740, in which an abort signal is sent to the processor core via path 230 (similar to path 2 6 70 shown in Fig. 55). However, if no violator is detected, then at step 2745 a decision is made as to whether the procedure is related to a cacheable data item. Otherwise, an external access is initiated in step 2790 in an attempt to intercept the data item from the external memory 56. At step 2795, the 'segmentation detector 2 6 5 6 will decide if there is a security segmentation violation, that is, if the processor core 10 attempts to access the secure and full memory while operating in a non-secure mode. A data item, and if a violator 'is detected, the segmentation detector 2656 will generate an abort signal at step 2775. "Two and 'assuming there is no security partition violation, the process proceeds to step 2 7 8 5' which is where the data access occurs. If it is determined at step 2 7 4 5 that the requested data item is cacheable 'Then perform a cache query in the cache at step 2750, and if a match is detected by the debt, the cache determines the security line label violation at step 2755. Therefore, at this stage, the cache will Check the value of the flag 2602 associated with the cache line containing the data item, and compare the value of this flag with the core operating mode 'to determine whether to authorize the core to access the requested data 125 200417216. If a security is detected Sex line label violation, the program proceeds to step 2760, where a security violation error suspension number generated by cache 38 and issued to core 1 via path 2670. However, it is assumed that it is not detected at step 275 ° 5 If the security line label is violated, data access is performed at step 2785. If a cache mismatch occurs when the cache query is executed at step 2750, an initial cache line fill is performed at step 2765. At step 277 + At this time, the segmentation detector 2656 detects whether there is a security segmentation violation and sends a stop signal at step 2775. However, assuming that no security segmentation violation is detected, the cache line is filled at 278. Steps are performed, and data access is completed at step 2785. As shown in Figure 57, steps 2705, 2710, 2715, 2720, 2725, 2730, and 2735 are performed in the MMU, and 2745, 2750, 2755 Steps 2765, 2780, and 2790 are performed by the cache, and steps 2770 and 2795 are performed by the segmentation detector. Figure 58 is a flowchart illustrating a security program executed in the core to generate a virtual address A similar procedure (step 2800) is performed at the time. By comparing Fig. 57 and Fig. 58, we will understand that the 2805 step performed in MMU via 8 2835 is similar to the previous reference to the knife chart It is described through step 2705 of 2735. The only difference is in step 2810, where the query performed in the main | TLB is related to any security descriptor stored in the main M, and the result is in the 282 〇Step TLB contains A security descriptor with a valid label. In the cache, the cache no longer needs to look for any security lines. Hiding violations 126 200417216 Anti-because, as shown in Figure 5-8, it is assumed that the security program can access the security Data and non-security data. Therefore, if a match occurs during the cache query in step 285, the procedure proceeds directly to step 2 8 8 5 in the data access step. Similarly, if external memory External access (ie, in steps 2 8 5 or 2 89), the segmentation detector does not need to perform a segmentation check because

Suppose again that a security program can access secure or non-secure data. Steps 2845, 2850, 2865, 2880, and 2890 performed in the cache are similar to steps 2745, 2750, 2765, 2780, and 2790 described earlier with reference to Figure 57. Figure 59 illustrates the different modes and applications executing on the processor. According to an embodiment of the invention, the dashed lines indicate how different modes and / or applications can be separated and separated from each other during the monitoring of the processor β

The ability to monitor a processor for possible errors and discover why an application is not performing as expected is very useful and many processors provide such functionality. This monitoring can be performed in many ways including functions for debugging and tracing. According to the technology of the present invention, the debug in the processor can operate in several modes, including a shutdown debug mode and a monitor debug mode. These modes invade and cause the program to execute when it is about to stop. In the shutdown debugging mode, when a breakpoint or a watchpoint occurs, the core stops and detaches from the rest of the system and the core enters the debugging state. The core was stopped at the beginning, the pipeline was cleared and no instructions were retrieved in advance. Freezes the PC and ignores any interrupts (IRQ and FIQ). Then maybe 127 200417216 to check the internal status of the core (through the JTAG serial interface) and the status of the memory system. This state is intrusive to program execution because it may modify existing modes, change registration status, and so on. Once the debugging is terminated, the core uses the Debug TAP to exit the debugging state by scanning the Restart instruction. The program then resumes execution. In the monitoring and debugging mode, a breakpoint or a monitoring point causes the core to enter the abort mode, using prefetch or data abort vectors (Data Abort v e c t or r s), respectively. In this case, if the core is in shutdown (H a 11) debug mode, the core is still in a functional mode and does not stop. The suspension manager communicates with a debug application to access processor and auxiliary processor status or dump memory. A debug monitor is located between the debug hardware and the software debugger. Interrupts (FIQ and IRQ) can be prevented if bit 11 (see below for details) that controls register DSCR and debug status is set. In the monitoring and debugging mode, the vector interception is invalidated in the data aborts and prefetch aborts to avoid the interruption caused by the monitoring and debugging mode, causing the processor to be forced into an unrecoverable state. It should be noted that the monitoring debt mode is a debugging mode and a processor-independent monitoring mode (a mode for supervising the transition between a security context and a non-security context). Debugging can provide a snapshot of processor state at some point. When it receives the initial request for debugging, it does so by annotating these values on various logins. These values are recorded on a scan chain (541, 544 in Figure 67) and then they are sequentially rotated out using a JTAG controller (18 in Figure j). One option for monitoring the core is to use traces. Tracking is not intrusive and records subsequent status if the core continues to operate. The tracing is performed on the embedded trace macrocell (ETM) of 22 and 26 in the first picture. The ETM has a tracking port to output tracking information, which can then be analyzed by an external tracking port analyzer. The processor of the embodiment of the present technology operates in two separate network domains. In the described embodiment, these network domains include secure and non-secure network domains. However, ‘for the purpose of the monitoring function, familiarity with this skill will make it clear that these domains may be any two domains whose data will not leak to each other. Embodiments of the present technology are related to preventing data leakage between two network domains and monitoring functions such as error detection and tracing, which allows convenient access to the entire system, which is also a potential for data leakage between network domains source. In the above examples of secure and non-secure domains or situations, security information cannot be obtained by non-secure situations. Furthermore, if debugging is allowed in a security context, it may help limit or hide some of the information in the security context. The dotted lines in Figures 5 and 9 show examples of some possible methods that divide data access and provide granularity at different levels. Block 500 in Figure 59 shows the monitoring mode and it is the safest of all modes and controls the transition between security and non-security scenarios. Below the monitoring mode 500 there is a monitoring mode 52. Then there are non-secure user modes with applications 522 and 524, and a secure user mode with applications 512, 514 and 516. Only the monitoring mode can be controlled (error and tracking). Monitoring the non-security mode (left of the dotted line 501). Optionally, it may allow monitoring of non-secure 14 domains or context and security user modes (the left side of the 50 worker and the right side of the spear 01 below the 502). In a further embodiment, non-security contexts and certain 129 200417216 applications may be allowed to execute in the security user domain, in which case it is further divided by the dashed line 503. This type of division helps prevent the leakage of security data between different uses that can perform different applications. Under certain control conditions, the entire system can be monitored. Depending on the required granularity, the following parts of the core need to have the access they control during the monitoring function. In the case of an error detection, four types of registrations can be set; instruction error status registration (if SR), data error status registration (DFSr), error address registration (FAR), and instruction error address (IFAR). When changing from a security context to a non-security context, the above registration should be cleared in some embodiments to avoid any leakage of data. PC sample registration: DebUg TAP can access the PO through scan chain 7. When debugging in the security context, the value can be masked according to the debugging granularity selected in the security context. When the core executes in a security context, it is important that the non-security context, or the non-security context applied by the security user, cannot get any value of the PC. TLB project CP15 can be used to read the micr0-TLB project to read and write the main TLB. We can also control the loading and matching of the main TLB and micr0 TLB. This operation must be strictly controlled, especially if security thread debugging requires assistance from the MMU / MPU. Performance monitoring control registration · The performance control registration gives information on those cache mismatches, micro-TLB non-compliances, external memory requests, branch instructions executed, and so on. Non-security situations should not access this data, even in a debug state. That is, they are invalidated in a security context, and these counts should be operable in a security context. 130 200417216 Non-trespassing can enable access to non-safety and dislocations. Only partial restrictions can be a method. Cache faults in a cache system: Debugging in a cache system must be in-line. of. This is important for consistency between cache and external memory. Using CP15 can disable the cache or force the cache to write to all areas. However, corrections that allow caching in debugging may be a weakness in security and should be controlled. Byte Order: Endianness should not allow global context or security user applications with access to debug to change the byte order. Changing the tuple order may cause a core failure in security. Depending on the granularity, sequential access to bytes is prohibited during detection. At the beginning of the monitoring function, you can control one of the core monitoring functions. Extraction and tracking can be initiated in many ways. Embodiments of the present technology allow for initialization under certain conditions to control access to certain security monitoring functions of the core. The embodiments of the present technology seek to control intrusive and non-intrusive (tracking) debugging separately for access monitoring functions by the following granularity; by allowing detection only in the security user mode or throughout the security context Errors; By allowing debugging only in the security user mode and taking thread ID into account (application execution). To control the initialization of a monitoring function, it is important to understand how the function can be initiated. Figure 6 shows a table explaining the initial monitoring function b, the initial monitoring function type and such initialization deduction are designed by Spear, 131 200417216. Usually, the 4b can be accessed by software or by hardware, that is, borrow a controller. To control the monitoring function at the beginning ::: Use the control value. The above includes the position-dependent enable bit and therefore, if a specific bit appears, it is only allowed to start monitoring if the enable bit is set. The security log CP14 stores these bit errors and status control logs (DSCR), which are located in ICE 53〇 (Please refer to Figure 67. In a preferred embodiment, there is a boot intrusion. And disable intrusion and intrusion detection four bits, the above includes a security debug enable bit, a full trace enable bit, a security user mode enable bit, and a security thread detect These control values are used to provide a degree of controllable granularity for the monitoring function and thus can help prevent leakage from a specific network domain. Figure 61 provides a summary of the bits and how they can be accessed. The control bits are stored in a registry in the security domain, and access to the registry is limited to three possibilities. Software access is provided by the arm auxiliary processor MRC / MCR instructions, which are only allowed from Security 1 * Health Supervisor Mode. Optionally, & can provide software access from any other mode using an authorization code. A further option is more related to hardware access and involves the use of an input port on JTAG to write In addition to being used to enter control values related to the effectiveness of the monitoring function, this input can be used to enter control values related to other functions of the processor. 进一步 Further details related to scan chains and JTAG are as follows 132 200417216 Register logic cell Each integrated circuit (1C) contains two types of logic: • Combined logical cell; for example, AND, OR, INV gates. Use such gates based on one or most input signals. Or a combination of such gates to calculate the Boolean representation. • Log in to a logical grid; for example, LATCH, FLIP-FLOP. Use this grid to § record any signal value. Figure 62 shows a positive edge (positive? -edge) Triggered FLIP-FLOP: When a positive edge event occurs on the clock signal (CK), the output (Q) receives the value of the input (D); otherwise the output (Q) keeps its value in memory . For the purpose of testing or debugging, the scan key grid needs to bypass the functional access of the registration logic grid and directly access the contents of the registration logic grid. Therefore, the registration grid is integrated into a scan shown in Figure 63. Key lattice In the formula, the scan enable (SE, Scan Enable) is clear and the login box functions as a single login box. In the test or debugging mode, the SE is set and the input data can come from the Scan In (SI) input instead of 〇 Enter 0 as shown in Figure 64. All scan chains are chained as scan chains. In the functional mode, SE is clear and usually has access to all login grids and interacts with other logic in the circuit. In the test or test mode, the SE is set up and all logins are chained to each other in a scan chain. Data can come from the first scan chain and can be converted by any other scan chain at the pace of each clock cycle. Ability to convert data to understand login content. The IΛP controller is equipped with a debug TAP controller to control some scan chains. The TAp controller can select a specific scan chain: it connects the "scan in" and "scan out" signals to a specific scan chain. Funding can then be scanned into the chain, converted, or scanned out. The TAp controller is controlled externally through a JTAG port interface. Figure 65 illustrates a TAP controller. For security reasons, some logins cannot be accessed by the scan chain, even in debug or test mode. A new input called JADI (JTAG Access Invalidation) allows dynamic or static removal of a scan chain from an entire scan chain without having to modify the scan chain architecture in the integrated circuit. The MA and 66B illustrate this input. If JADI is not enabled (JADI = 〇), the scan chain works as usual, whether in functional or test or debug mode. If JAM is enabled (JADI = 1) and we are in test or debug mode, some scan chains (selected by the designer) can be "removed" from the scan chain architecture. To maintain the same number of scan chains, the JTAG selective fail scan chain uses a bypass register. Note that the scan out (s〇, 134 200417216 out) and the scan chain output (Q) are now different. Figure 67 illustrates a processor that includes portions of JTAG. In normal operation, the command memory 550 and the core communication can also communicate with the registered CP14 and reset the control value under certain conditions. Normally only self-safe supervision is allowed. When the debug is initialized, the instruction is input through the Debug TAP 5 80, and it is the control core. The core under debug is executed step by step. Debug TAP accesses CP14 through the core (according to the access control signal input to JSDAEN PIN, which is displayed by JADI PIN (JTAG ACCESS DISABLE INPUT in Figure 45)) and can also be reset by this method Set the control value. The access control signal JSDAEN controls the access to the CP 14 registration by the Debug TAP 580. This arrangement is such that access, especially write access, must allow JSDAEN to be set high. When the entire processor has been confirmed, during the board phase (b0 a r d s t a g e), 4 errors are enabled and the JSDAEN is set high during the entire system. Once the system has been checked, the JSDAEN PIN can be grounded, which means that debugging with the Debug TAP 5 80 cannot be enabled at this time. The general processor in production mode has a grounded J S D A E N. Therefore, the control value can only be accessed by software that is routed through the command memory 5 50. Access via this bypass is restricted to the security oversight mode or another mode that provides an authorization code (refer to Figure 68). It should be noted that by default, debugging (intrusion and non-intrusion-tracking) can only be used in non-security contexts. In order for them to be used in a security context, a control value enable bit needs to be set. 135 200417216 Its superiority & Hao Yi's error detection can only always be initiated by the user in order to be insecure. Therefore, although the user is usually unable to access the security during debugging, in many cases it is not a problem, because the access to the context is old and the board stage is completely complete before it is available Confirming security temperament is therefore foreseeable. In many cases, debugging of security contexts is unnecessary. If necessary, a safety supervision can still initialize the debugging by software written in CP14. The 68th figure shows the control of the debugging initialization. In the figure, a wound of the core 600 " sentence 4τ. Withered ~ storage element 601 (can be a CP 15 login as previously described) yarn in the basin 'Ercun indicates whether the system is safe in a security context The sexual element S ° core 600 also includes a login 602, which includes a mode (eg, user mode) instructing the processor to execute and a login 603 that provides a content identifier to confirm the application or thread currently executing on the core. When a breakpoint is reached, a comparator compares the breakpoint stored in the register 6 1 1 with the core address stored in the register 6 1 2 and sends a signal to the control logic 620. The control logic 620 looks at the security state S, the mode 602, and the execution thread (content identifier) 603 and compares it with the control value and the condition state stored in the login CP14. If the system is not operating in a security context, an "enter debug" signal will be output at 630. However, if the system is operating in a security context, the control logic 620 will look at mode 602, and if it is in user mode, it will check to see if the user mode is enabled and the debug enable bit is set. If they are, then the debug will be initialized, knowing that the thread aware bit has not yet been initialized. The hierarchical nature of control values is described above. 136 200417216 Figure 68 also shows the thread detection part of the monitoring control and how it can only switch from the safety supervision mode (in this embodiment, the processor is in production and JSDAEN is grounded). Control value. It is possible to use an authorization code to enter the security supervision mode from a security user mode 'and then set the control value at C P 1 4. When the address comparator 610 indicates that the breakpoint has been reached, the control logic 62 outputs an "enter debugging" signal and understands that the thread comparator 64 indicates that debugging is allowed for the thread. It is assumed that the thread detection initialization bit is set in Cpi4. If the thread detection initialization bit system sets a breakpoint, if the address and content identification match those indicated in the breakpoint and the allowed thread index, only debug or trace can be entered. After the initialization of a monitoring function ', detection can only be performed within the detection of the comparator 64; when the symbol is an allowed thread, the acquisition of diagnostic data continues. When a content identifier indicates that the executed application is not an allower,% blocks the extraction of diagnostic data. It should be noted that in the best embodiment, there is a certain level of granularity. Actually, the security is wrong. Every time the tracking is enabled, only the tracking enable position is at the top. Next, enable the security user mode, Kaizhi County, Di Yong bit 70, and finally the security thread. Detect enable bit. As shown in Fig. 69A, solidification of the whistle 丄 Bapu and Fig. 69B (see below for details). The control value reserved in "Debugging and State Control (Debug Record (CP14) according to the domain a n d S t a t u s C ο n t r ο 1)" login, mode and thread control security debug granularity. It is on top of the security oversight model. Once the "error detection and status control" registration breakpoints, monitoring points, etc. CP 14 is set, the corresponding design is made by the security supervision mode, so that the core enters the debugging state. 137 200417216 Figure 69A outlines security debugging for intrusive debugging. The default values are shown in gray. The same applies to the granularity of debugging that is not invasive. In this case, the security debugging granularity is also used as the default value. Please note that the security user mode debug enable bit is generally used for both intrusive and non-intrusive. Thread detection initialization bit is stored in the registry to indicate whether the granularity is based on the application needs. If the thread is detected, the control logic will further check the application identifier or the thread indicates the value indicated in the control value of the thread, and if so, then. If any of the user-mode or debug-enabled bits detect that the bit has been set and the application being executed is not indicated in the execution value, the breakpoint and the future core performers will be ignored and debugging will not be performed. initialization. In addition to controlling the initialization of the monitoring function, it is also possible to control the acquisition of diagnostic data during a monitoring function. Purpose, the core must follow the value during the operation of the monitoring function 'that is, the registered bits stored in CP 1 4 and their enable bits. Figure 7 illustrates the granularity of the monitoring function during execution. The area A is related to the allowed capture The area of the diagnostic data regarding the area where the control value is stored in the CP14 means that it is not data. Therefore, when debugging is performed and the interpretation is granular in the area. Figure 69B overview of the reset. Gray indicates reset and security enforcement. The CP14 indicates that the bit has been initialized. Thread 603 is initially debugged and will not be set or executed. Thread detection control will continue to its original form. A similar party will continue to consider the two control 6 related conditions in order to achieve the above. . In this case, the phase B of the area ’area may be intercepted and diagnosed during operation A. The diagnostic data is output in a stepwise manner during the debugging process. When the operation is converted to area B, it is a place where diagnostic data is not allowed to be retrieved, and debugging is performed step by step, otherwise it is performed automatically without any data being retrieved. This continues until the operation of the program enters area A again, so that the interception of the diagnostic data is started again and the debugging continues to be performed step by step. In the above embodiment, 'if the security domain is not enabled, an SMI means

The order is always regarded as an atomic event and prevents the acquisition of diagnostic data. In addition, if the thread-aware initialization bit is set, the granularity of the monitoring function during operation also appears in terms of application.

For non-intrusive debugging or tracing, it is achieved by the ETM and has nothing to do with debugging. When tracing is enabled, ETM functions as usual, and when it fails ’ETM hides tracing in a security context or part of a security context based on the granularity chosen. One way to avoid ETM retrieving and tracking diagnostic data in the security domain when not enabled is to slow down the ETM when the s bit is high. This can be achieved by combining the S bit with the ETMPWRDOWN signal, so when the core enters the security context, the final value of the ETM is retained. Therefore, the ETM should track an SMI instruction and then decelerate until the core returns to the non-security cost situation. Therefore, ETM will only monitor non-safety activities. Some of the different monitoring functions and their granularity are summarized below. Intrusive Debugging of the Board Stage The board stage when the JSDAEN PIN is not grounded, it is possible to initially debug anywhere before any start period. Similarly, if I am in the full supervision mode of An 139 200417216, I have similar authority. : Detection block) 〇 Wrong enough to enter a very secure state. 〇 If the person makes an initial error in hah debug mode, all logins are accessible (non-secure and secure login areas and In addition to the bits dedicated to control, the entire memory can be dumped from any mode and any domain into the debug shutdown mode. Breakpoints and watchpoints can be set in secure or non-secure memory. In the detection state "You can use only one MCr instruction to change the s bit to enter the security context. When a security exception occurs, you can enter the debug mode. The new bits used to expand the vector trap register are as follows; SMI vector capture is enabled; security data abort vector capture is enabled; security prefetch abort vector capture is enabled; and security undefined vector capture is enabled. In monitoring debug mode, if we allow debugging anywhere, to non-secure When a sexual situation calls an SMI, it may enter the whole sexual situation with step-by-step debugging. When a breakpoint occurs in the security domain, the security manager can operate Register the block and secure memory with dumped security. The abort manager in security and in non-secure contexts gives their information to the debugger application, and the debugger window (in the relevant price error control) On PC) can be displayed in both security and non-security scenarios. 200417216 Figure 71A shows what happens when the settings are set in the monitoring debug mode, when x-heart, and when 彳 zheng error is enabled in the security scenario. Figure 7 丨 B--, Μ ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,,,,,,,,-,,,,,,,-,,,,,,-,,,,,-,,,,,,,,, In the security situation, when the debug is used, the following procedures will be described in detail below. J Jie Duan's _Intrusive Debugging In the production stage, when JSDAEN has grounding and debugging restrictions as a non-safety situation, unless the safety supervision has other decisions, ~~ Figure 71B shows what happened. Here In this case, the smi should always be considered as an atomic inStruction, so when entering the debugging state: ^ is to complete the security function first. ^ The following restrictions apply to the debugging stop mode. Only in non- Consider outside in a female holistic situation Request for chastity request If EDBGRQ (External External Debug Request) has been declared in the security situation, once the security power t enters the debugging stop mode, and the core returns to the non-security situation or internal debugging, please ask the department to debug If the request is terminated, the kernel enters the security memory as a breakpoint or watchpoint and when the programming address matches, the kernel does not stop the design and will not affect the vector trap registration (Vector Trap Registei: and non-security exceptions. As before) All the expansions described above capture the impact of health. See below for details) Only the enabled bit will not be produced. Once in the shutdown debugging mode, Miaotian T ⑷ applies the following restrictions: The S bit cannot be changed to force entry into the female gold team. Environment, unless female holistic debugging is enabled. 141 200417216 The mode bits cannot be changed if debugging is allowed only in the security supervision mode. The exclusive bits that control security debugging cannot be changed. If an SMI is loaded and executed (accessed at system speed), the core enters the debug state again only when the security function is fully executed.

In the monitoring and debugging mode, since monitoring cannot occur in a security context, the security suspension manager does not need to support the debugging monitoring program. In non-safety scenarios, step-by-step steps are possible, but as long as one SMI is performed, the security function is fully performed, in other words, when "step-in" and "step-over" are in all When other instructions are possible, an XWSI only allows "step-over". XWSI is therefore considered an atomic instruction. Once security debugging is disabled, we have the following restrictions: Before entering monitoring mode:

Only consider breakpoints and watchpoints in non-security situations. If bit S is set, skip breakpoints / watchpoints. Please note that the watchpoint unit is accessed with MCR / MRC (CP14). This will not cause a security issue, as the breakpoints / watchpoints will not affect the security memory. BKPT is usually used to replace the breakpoint. It is assumed that the overwriting of the above instructions in memory is based on the BKPT instruction, which is only possible in the non-safety: formula. 'Vector capture login involves only non-security exceptions. As mentioned earlier, all extended capture enable bits do not generate material. The data abort and prefetch abort enable bits should be disabled to avoid forcing the processor into an unrecoverable state. 142 200417216 s is in the wrong mode. It goes back to a mode. Anyone's code is kept wrong. In the security situation, when the non-safety situation is reached by JTAG, no. -A / · * · ° taxi down Models have the same restrictions (no meta, etc.). > Sigh ^ In the monitoring mode (non-security abort mode) Non-female full ^ The abort server can dump non-secure contexts and invisible full block registration and security memory. Perform security functions with basic SMI instructions: 旎 Change the S bit to force entry into the security context. If you ’re not allowed to debug in the women ’s overall supervision mode, you cannot change bit 7F. “Yueyi” If an external debug request (EDBGRQ) occurs, in the non-safety Tuya Shia brother, the core terminates the existing instructions and immediately enters the blessed state (in the shutdown mode). ’Terminate existing features and enter debug status, when # 〇 new debug needs to be grayed out / means some fix in core hardware. Must be + master control s bits,,,, and U, and based on security, this security bit cannot be inserted into the scan chain. Smoke ′ In debugging, the security bit is changed only when debugging is enabled in the security supervision mode. For example, G will prevent any task that can access the debug in the security domain to change the system (modify the TBL item, etc.) to access all global situations. In this method, each thread can debug its own program and can only debug its own code. Security must be at the core of its security. u This enters the detection when the core is executed in a non-safety situation, and the month b is enough to change the mode bit as described above. 143 200417216 An embodiment of the present technology uses a new vector capture register (trap register). If one of the bits in the registration is set to the corresponding vector trigger, the processor enters a debug state such as an instruction that the same breakpoint has been retrieved from the autocorrelation exception vector. The rows of these bits differ according to the bit value of "Debug in Secure world Enable" in the debug control registration. The new vector capture entry includes the following bits: D — s — abort, P — s abort, S — undef, SMI, FIQ, Unaligned, D — abort, P — abort, SWI, and Undef o D — s — abort bits Meta: Can only be set when booting in security context and when debugging is set in shutdown debugging mode. In monitoring mode, this bit is never set. If effective in a security context, it will have no effect regardless of the value of the bit. P_s_abort bit: Same as D_s_abort bit. S-Undef is only enabled in the context of security. It is also assumed that if debugging fails in a security context, this bit will have no effect whatsoever. The SMI bit can only be used when security detection is enabled in the security context. If debugging fails in the security context, this bit has no effect. FIQ, D—abort, P—abort, SWI, and undef are different. So even when debugging in a security situation, daggers are still valid. Please note that D_abort and P_abort should not be declared high in the mode. . (Vector two-way pair is set to the possible erroneous error IRQ, use debug control to debug, debug error, debug error value is set when the error value is Yuan: and invalid, in monitoring 144 200417216

Reset bit: When a reset occurs, we enter the security context. This bit is valid only when debugging is enabled in the security context, otherwise it will not have an impact.

Although a specific embodiment of the present invention has been described herein, it is obvious that the present invention is not limited to the above, and many modifications and additions may be made in the scope of the present invention. For example, without departing from the scope of the present invention, various combinations of the following subsidiary features can be performed as independent items in the scope of patent application. [Brief description of the drawings] The present invention will be further explained with reference to the preferred embodiment illustrated by the drawings, wherein: FIG. 1 is a block diagram illustrating a data processing according to a preferred embodiment of the present invention Equipment; Figure 2 illustrates different procedures for operating in a non-secure domain and a secure domain; Figure 3 illustrates a moment of processing modes related to different security modes

Figures 4 and 5 show different relationships between the processing mode and the safety net; Figure 6 shows a programmer's module, one of the processor's registration blocks related to the processing mode; Figure 7 Figure 1 shows an example, providing separate login blocks for a secure domain and a non-secure domain; Figure 8 illustrates multiple processing modes, with a single monitoring mode between the security domains by 145 200417216 Conversions performed; Figure 9 is a diagram of a security domain conversion using a mode switch software interrupt instruction; Figure 10 is an example of how the system handles non-security interrupt requests and security interrupt requests; 11A and 11B illustrate an example of a non-security interrupt request processing and an example of a security interrupt request processing according to FIG. 10; FIG. 12 illustrates an alternative mechanism, comparing FIG. 10 The figure is used to control the non-security interrupt request signal and the security interrupt request signal; the exemplary diagrams of FIGS. 13A and 13B are used to process a non-security interrupt request and A security interrupt request; An example of a vector interrupt table; Figure 15 shows a majority vector interrupt table related to different security domains; Figure 16 shows an abnormal control login; Figure 17 is a flowchart, the diagram is a warning The method of setting a sexual domain changes how a processing status and an instruction generate a respective mode conversion exception, which sequentially triggers entering a monitoring mode and executing a monitoring mode; FIG. 18 shows a processor operating in multiple modes. Control one thread, where a task is interrupted in the monitoring mode; Figure 19 illustrates one of the threads controlled by a processor operating in multiple modes; Figure 20 illustrates one of the threads operating in multiple modes A processor controls one of the further threads, wherein the interrupt is enabled in the monitor mode; 146 200417216 Figures 21 to 23 illustrate different processing modes and processes according to another exemplary embodiment, and are used for security And non-secure domains; Figure 24 illustrates the concept of adding a security processing option to a familiar ARM core; Figures 25 illustrate the domains with security and non-security and Reset a processor; Figure 26 illustrates the use of a software counterfeit interrupt to pass a processing request to a virtual operating system; Figure 27 illustrates another example that uses a software counterfeit interrupt to pass a processing request to a virtual suspension Operating system; Figure 28 is a flowchart showing the processing performed when a software forgery interrupt is received in one of the patterns generated in Figures 26 and 27; Figures 29 and 30 illustrate a security Tasks performed after the sexual operating system are used to track possible task transitions performed by a non-safety operating system; Figure 31 is a flowchart illustrating the secure operating system in Figures 29 and 30 The processing performed when a call is received in Figure 3; Figure 32 shows the problem of reverse priority of interrupts that may occur in one of the systems with most operating systems, where different interrupts can be controlled by different operating systems; Figure 33 illustrates the use of a stub interrupt manager to avoid the problem shown in Figure 32; and Figure 34 illustrates the basis for controlling whether or not they can be interrupted by an interrupt serviced by an operating system Type and Priority Interrupts 147 200417216 Figures 3 and 5 show how the processor-specific setting data exclusive to the monitoring mode takes precedence over the processor-setting data when the processor is operating in the monitoring mode; Figure 1 shows a flow FIG. 7 illustrates how the processor setting data is converted when switching between a secure network domain and a non-secure network domain. FIG. 37 illustrates the control used in one embodiment of the present invention. Memory management logic for accessing the memory; FIG. 38 is a block diagram illustrating the memory management logic for controlling access to the memory in a second embodiment of the present invention; FIG. 39 FIG. 40 is a flowchart illustrating a process performed in an embodiment of the present invention, which is used in the memory management logic to process a memory access request dedicated to a virtual address; FIG. 40 is a flowchart illustrating The process shown in the embodiment of the present invention is used in the memory management logic to process an entity access request dedicated to a virtual address; FIG. 41 illustrates a partition detector of the preferred embodiment of the present invention. How to fuck In order to prevent access to a physical address in the secure memory, when the device issuing the memory access request is operated in a non-secure mode; FIG. 42 illustrates a preferred embodiment of the present invention. The use of a non-security paging table and a security paging table; Figure 43 illustrates the two types of flags used in the main translation reference buffer (tlb, translation lookaside buffer) of the preferred embodiment; Figure 44 148 200417216 FIG. 45 illustrates an embodiment of the present invention, which is performed by a memory management unit (MMU) after a boot partition is performed according to an embodiment of the present invention. Mapped non-secure memory; Figure 46 illustrates how to warn the memory in the right column to allow a security application to share memory with a non-security application according to an embodiment of the present invention; Figure 47 Shows how the device is connected to an external bus of a data processing device according to an embodiment of the invention; Figures 4 to 8 are block diagrams showing how the device is connected according to a second embodiment of the invention Connect to external bus; Figure 49 illustrates the physical memory arrangement of an embodiment using a single component page table; Figure 50A illustrates an arrangement in which two MMUs are used via an intermediary address to perform virtual to physical bits Figure 50B illustrates an optional arrangement in which two MMUs are used to perform a virtual-to-physical address translation via an intermediary address; Figure 51 is only an example, illustrating the security domain and Non-secure domains, the correspondence between the physical address space and the intermediate address space; Figure 52 illustrates the memory between the secure and non-secure domains via the paging table related to the second MMU Swap of the body region; the embodiment of Figure 53 illustrates the implementation using a single MMU, and the non-compliance with the main TLB causes an exception to be requested to determine the virtual-to-physical address translation; Figure 5 4 A flow chart showing the program executed by the processor core to verify that the main TLB of the MMU in Figure 53 does not match.

149 200417216 Take action on exceptions; Figure 5 5 is a block diagram showing components provided in a data processing message in an embodiment, in which information is provided to the cache to determine which ones are stored on individual cache lines The data is security data or non-security data; Figure 5 6 shows the memory management unit shown in Figure 5 5; The processing performed in the data processing device shown below is to process a non-secure memory access request. FIG. 58 is a flowchart illustrating the processing performed in the data processing device shown in FIG. 55 to process a Security memory access request; Figure 59 illustrates the possible granularity of the monitoring function for different modes and applications executed on a processor; Figure 60 illustrates the possible methods of initial different monitoring functions; Figure 61 shows a control value table to control the different monitoring functions that can be used; Figure 62 shows a positive-edge triggered flip-flop; Figure 63 shows a scan string 1. key unit ); Figure 64 shows most scanning chain units in a scanning chain; Figure 65 shows a debugging TAP controller; Figure 66A shows a debugging TAP controller with JADI; Figure 66B FIG. 67 illustrates a scanning chain unit having a bypass register. FIG. 67 illustrates a processor including a core, a scanning chain, and a debug status and control register. 150 200417216 Figure 68 shows the factor (factor) to control the initialization of debugging or tracking; Figures 69 A and 69B show a summary of the granularity of debugging; Figure 70 shows the granularity of debugging during execution; and Figures 71A and 71B Illustration of monitoring debugging that is enabled in a security context and when it is not individually enabled. [Simple description of component representative symbols] 10 core 12 scan key 14 login block

16 ALU 18 JTAG controller

20 ICE

2 1 VIC

22 ETM 2 4 login 26 control login 30 memory management logic 34 control login

36 TCM 38 Cache 40 System Bus

42 EBI

44 Boot ROM 46 Screen

48 Register or buffer 50 DSP 5 2 DMA 54 Arbiter / decoder logic 5 6 External memory 58 Paging table 60 Input / output interface 62 Register or buffer 64 Key storage unit 66 Register or buffer 70 External bus 72 Monitoring program 151 200417216 74 Non-safety operating system 7 6 Non-safety application 1 7 8 Non-safety application 2

8 0 Security core 82 Security application 1 84 Security application 2 86 Monitoring mode 200 MMU 202 access permission logic 204 area attribute logic 206 micro-TLB 208 main TLB 210 translation table walking logic 220 MPU 222 segmentation detector 224 access Permission logic 226 Area attribute logic 230 Path (Aborted) 2 3 2 Path (cacheable, bufferable) 234 Path (virtual address) 236 Path (physical address) 2 3 8 Path 240 Path 242 Path 244 Path 246 Path ( Descriptor) 2 4 8 path 3 0 0 program generated virtual address 302 query security descriptor micro-TLB 3 04 query security descriptor main TLB 3 06 paging table walk 3 08 main TLB contains valid additional security description The subscript 3 10 loads the sub-part of the relevant descriptor containing the physical address part in the micro-TLB. 3 12 Check the access permission (private / user ...) 314 Violation? 316 Access allowed error aborted 3 1 8 Access to memory 320 Query non-security descriptor micro-TLB 3 22 Query non-security descriptor main TLB 324 Paging table walk 152 200417216

2e3024365054587274789097052f3i4i = tGG, ~ s The main TLB contains a valid additional non-safety poor cut detector to check if the non-safety entity j address if ~ non-female sex violation of safety / non-safety error abortion contained in the micro-TLB load contains The sub-portion of the sub-portion of the sub-portion carefully checks the access permission (private / user ..., violation? The kernel generates a physical address check permission, and is the non-secure physical bit memory 3 violated? The access permission is aborted incorrectly. Access to security, security memory, non-security zone, non-security zone, non-security zone, security zone, security zone, security zone, non-security memory, non-security paging table, base address, security memory Security Paging Table Security Paging Table Base Address Domain Flag Program ID Flag Descriptor Descriptor Descriptor Item Memory Memory for Non-Security Applications ~ Memory Security Paging Device Device External Memory Arbiter 153 200417216 478 480 482 484 486 488 490 492 500 501 502 503 512 514 516 520 522 524 530 541 544 550 570 580 600 601 602 603 610 611 612 620 630 2000 2010 2015 2020 2030 2040 2050 Code screen entry number, path control, isolation, use for supervisor, use E-tracing, make mistakes, save, record, record, record, log out Dengxin Road sub-supervisor sub-should be sub-should be sub-should be sub-should be sub-should be sub-scored 1C sweeping finger scan nuclear inspection nuclear storage ascend the boarding control board surface ^ 61 Xiangfukou Xikou slow out slow-measuring device or road Inspecting line line line type phantom memory chain chain

PAT device comparison device Qul 51 is a special tool for die change, diameter control, work path, and road monitoring. There are many special die control and monitoring tools / IV program control? The state of the memory state, the state of the state, the point of the network, the storage of the command with the direction of the network, the index has been formulated, the command of the model, the state of the S, the charge of the state of the state, the state of the state, the state of the load, the state of the loading domain, the state of 2070, and the exit of the monitor . Mode to leave monitoring mode and switch to destination domain 2100 physical address space 2 11 0 non-secure memory 2120 secure memory

2150 MMU 2 1 5 3 path

215 5 micro-TLB 2 1 5 7 path

2160 Main TLB 2165 Translation table walking logic 2 1 6 7 path

2170 MMU 2 1 7 5 path

2180 Main TLB 2185 Translation table Walking logic 2190 Data bus 2192 Path 2 1 9 4 Path

2170 MMU 2200 physical address space 2210 security area 2220 non-security memory 2230 security area 2240 non-security memory 2250 paging table 2265 intermediate address space 2270 intermediate address space 2 2 7 5 non-security intermediate Address space 2300 A region of memory 2 3 0 5 Region in middle address space 2310 Region

2400 MMU

2410 micro-TLB

2420 Main TLB 2 4 2 2 path 2430 path 2440 path 2450 path 2500 detected a TLB non-compliance abnormal? 155 200417216 Set the wrong position to find the body description < the pre-alternative sign to find the actual description of the two places 42 (often used to describe the description of the first body 2 used a different table to describe the table to Erhe Real LB It ’s usually the first to twelfth address, the first to the T return flow, the second position, the second position, the line to the regular line rendezvous, the fetch, the main different access number in the test room, and the address system is replaced. The selection of the parameters and the results are intended to be controlled in the multi-flag position οοοοοοο ο ο 0 5 0 0 2 0 0 1 2 3 4 5 6 7 8 9 9 0 1 1 2 3 5 5 5 5 5 5 5 5 5 6 6 6 6 6 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 The virtual address address position bit body is given to the virtual address between the address and the symbol in the address. The actual control of the fixed position is determined by the false new location address. The false symbol is incorrectly generated. The bit description is misrepresented. The incorrect description is entered. The false description is inserted into the second location to obtain the wrong translation. The new one that is described by the description and the description in the store is marked as having the BL scheduler Γ0-sexual T flow detection test lcr all lines must be checked by the logic device. Interpretation of roads, roads and capital control Non-line search performed in the green of a whole sub-amphetamine summary description 24600246050 50 33345555001 12 66666666777 77 22222222222 22 B L T to the main memory in which character B produced in said formula TL description proposed virtual address bits

Included; Participant P My use Describe the addressable location of Q. Is there any way to check the B B L L T T error? < < Allow CC to fetch fast mlml violation can be 5 0 5 0 5 2 3 3 4 4 7 7 7 7 7 Check whether the sexual line is all fast or not is fast 0 5 0 5 5 5 6 6 7 7 7 7 156 200417216 The quasi-exceptional false counter-incorrect error cut anti-cut type in the middle of the stop address Take the points icr Sexuality Existence Sexuality Existence M Fully Fully Retrieving Department Fully Inquiry An Inquiry Page Delimiter An An Quick Investment Foreign Security An Inspecting Verification 050505050 50 778899001 12 777777888 88 222222222 22 Anti-B Symbol Violation Producing TL, BL, and T lines? Inquiry, fill in, get back the body, continue to call the new call, start to call the brand new? Allow to check the line, save, return to the soft line, continue to the old to the call, you can call to ί til anti-cache access Do you want to save the new deposit and exchange the new one? The newly rejected mimi is in violation. You can open it quickly and quickly. The external transfer is a re-storage transfer. It is a re-storage transfer. It is important to reject the old transfer. 505050505024 6802468024 233445688900 0011111222 888888888800 ^ 222222222244 4444444444 BLT The signing of the sign has the effect of descriptive security. Contains: The addressable allowance of the envoy used by the K Department / Λ Describe Q. Some of these include check and check. Β Β LL τ Τ I face ο ο Stop and mistakenly retrieve the charge and interruption system of the Ministry of Internal Security Perseverance, completeness and safety? In the thread of the Bank of China, there are new and existing storages used by the Bank of China, and they are used by Rongxu.

Claims (1)

200417216 Patent application scope: 1. A data processing device with a secure domain and a non-secure domain, where the security data accessed by the data processing device in the secure domain is not available in For accessers of the non-secure domain, the data processing device includes: a device bus; a device connected to the device bus and operable to issue a memory access request related to the secure domain Or any one of the non-secure domains; a memory connected to the device bus and operable to store data required by the device, the memory including security memory for storing security data and non- The security memory is used to store non-security data. When a data item in the memory needs to be accessed, the device is operable to issue a memory access request to the device bus; and the partition detection logic, When it is connected to the device bus and whenever the memory access request issued by the device is related to the non-secure domain, it can operate the partition detection logic to detect If the memory access request attempts to access the security system memory; and the basis of such detection, to prevent the memory access request of the designated access. 2. A data processing device as described in item 1 of the scope of patent application, wherein the device can operate in multiple modes, including at least one non-security mode in a non-secure network domain, and at least one in a secure network domain. Security mode 158 200417216 Formula 0 3 · A data processing device as described in item 1 of the scope of patent application, wherein when operating in one of the predetermined security modes in the security network domain, the device manages the segmentation Detection logic. 4. A data processing device as described in item 1 of the scope of patent application, wherein the memory access request issued by the device includes a domain signal, which confirms whether the memory access request is related to the above security domain or The above non-secure domain. 5. A data processing device as described in item 4 of the scope of patent application, wherein the device has a predetermined pin for outputting a network domain signal to the device bus. 6. A data processing device as described in item 1 of the scope of patent application, wherein the segmentation detection logic is provided in an arbiter connected to the device bus to access the memory issued to the device bus Arbitration between requests. 7. A data processing device as described in item 1 of the scope of patent application, wherein in the non-secure network domain, the device is operable under the control of a non-secure operating system, and in the secure network domain, The unit can be operated under the control of a 159 200417216 safe operating system. 8. A data processing device as described in item 1 of the scope of patent application, wherein the device is integrated with a chip of a processor, and the chip further includes a memory management unit. When the processor generates a memory access request, it Operable to perform one or more predetermined access control functions to control memory access requests issued to the device bus. 9. A data processing device as described in item 8 of the scope of patent application, wherein the chip further comprises: a special memory connected to the processor via a system bus, the special memory being operable to store the processor Required data, the special memory includes security special memory for storing security data, and non-security special memory for storing non-security data; and special segmentation detection logic connected to the system bus , And when operating in a non-security mode in the non-security domain, as long as the processor generates the memory access request, the special partition detection logic can be operated to detect whether the memory access request is an attempt to save Take any one of the security memory or the security special memory, and prevent access specified by the memory access request based on such detection. 10. A data processing device as described in item 9 of the scope of patent application, wherein 160 200417216: the processor is operable in a plurality of modes, including at least one non-security mode in the non-secure network domain, and in the One of the security network domains has a security mode. In the at least one non-security mode, the processor can be operated under the control of a non-security operating system, and in the one security mode, the processor. Operable under the control of a security operating system; and the special partition detection logic is handled by the security operating system. 11. A data processing device as described in item 10 of the scope of patent application, wherein when the processor is operating in at least one non-security mode, the memory access request specifies a virtual address and the memory The management unit is controlled by a non-security operating system, and one of the predetermined access control functions performed by the memory management unit includes converting the virtual bit into a physical address. When the physical address is generated in the security memory, the segmentation detection logic can be operated to prevent the memory access request from taking the specified address. 12. A data processing device according to item 10 of the scope of patent application, wherein when the processor operates in one of the at least one security mode, the memory access request specifies a virtual address, and the memory management unit Responsible for the management of the memory of the site, the special storage of the department 161 200417216 is controlled by the security operating system, and the heat is controlled by the memory management Qin Yi performed the predetermined access control function 11 early The address is converted into a physical address, and the special eight magic transforms the virtual bit into at least-security mode. "Cut detection logic is not used in this U. As described in item 12 of the scope of the patent application _ _ _ _ _ _ _ _ _ a kind of data processing equipment, in 1 for the processor to operate-request ... virtual address, in the record ... And the memory access and partition detection logic, as well as the provision of the special in the early 70, the processor can be operated in the jealous-non-security mode... "" As described in item η of the scope of the patent application-a memory protection unit is also included, the reasoning of which is: preparation, its compilation, the memory protection unit is logically detected by the security cutting-off detection when the processor It is operated by a specific security system. When a memory access request specifies an entity or a memory location, the memory management unit should be recorded in order to save the address. # ^ At least the memory access permission processing is performed to confirm whether the memory location specified by the executive is accessible at / physical address can be used in female holistic mode. 15. As described in item 10 of the scope of the patent application, the memory contains at least-a table, which contains-a descriptor of each of the management devices, a hidden area of the memory management unit. Contains an internal storage 162 200417216, which is taken from the record of the division, to obtain its storage unit, which is used to store the access control information derived from the descriptors and used by the memory management unit In order to execute the predetermined access control functions of the memory storage request, when the processor is operating the at least one non-security mode, the special partition detection logic can be operated to prevent the internal storage unit from storing the allowable storage. Get the access control information of the security memory. 16. A data processing device as described in item 15 of the scope of patent application, wherein the memory access request specifies a virtual address, and one of the predetermined access control functions includes converting the virtual address to a Physical address, each descriptor contains at least a virtual address part and a physical address part corresponding to a memory area, when the processor is operating in the to a non-security mode, if it will be the virtual bit When the physical address generated by the address is within the security memory, the special cut detection logic can be operated to prevent the internal storage unit from storing the physical address into access control information. 1 7. A data processing device as described in item 16 of the scope of patent application, wherein the internal storage unit is a translation reference buffer (TLB) operable to store corresponding physical address portions in some virtual address portions, which The corresponding descriptor is taken from the at least one table. 1 8. A data processing device as described in item 17 of the scope of the patent application, 163 200417216 t the TLB is as usual, and the internal storage unit includes the main TLB 'for storing the memory management unit From the at least one cell: the intercepted descriptor, access control information, before the memory management unit uses the access control information to perform the predetermined access control function for the memory access request, The micro-TLB can be converted from the main TLB; κ, 丨 eight gold 丨 κ, knife edge 丨 dual test logic, when the processor is operating in the at least one non-security mode, " 辑 以防 # 打 — This special partition detection sequence is performed to prevent any access control from being redundantly switched from the main TLB to nucr0-TLB, and the access control will reach the memory. Beixun System may allow access to this security. 19 · As a kind of data processing as described in the 0dfc _ item in the scope of the patent application, 伟 A τ < Expansion symbol is related to at least the security memory common When creating a memory area, the table contains a non-security table for the processor when the processor is in the at least-non-secure mode and the system is connected by the non-security device. Descriptive symbols generated by the system; when the processor is operating in a non-four town mode, the special point and β〇〇 detection logic can be operated to prevent the early warning from being stored by the descriptor. The part of the physical address of the designated system is the name system. If the entity's virtual address will be generated later in the security memory of the entity. 20 · If a kind of data processing is covered by item 18 in the scope of the application for patent, the name list shall be managed and the record shall be recorded. It shall be one of the descriptors in the non-security form in the 164 200417216. When the processor is operating in the at least one non-security mode, the at least one table includes a non-security table when the processor is operating in the at least one non-security mode. Descriptor generated by the non-security operating system; when the processor is operating in non-security mode, the special partition detection logic can be operated to prevent the internal storage unit from storing the physical address specified by the descriptor Part is access control information, if the physical address generated for the virtual address is later in the security memory; and wherein the at least one table further includes a security located in the security memory A table containing the descriptors generated by the security operating system, the primary TLB contains a flag related to each of the stored in the primary TLB Said operator to confirm whether or not the descriptor from the non-safety system or the security table form. 2 1. A data processing device as described in item 20 of the scope of patent application, wherein whenever the operation mode of the processor is changed between a security mode and a non-security mode, the micro-TLB is cleared, and The access control information in the security mode is only converted from a descriptor in the main TLB to the micro-TLB, and the main TLB indicated by the relevant flag is from the security table, and in the non-security mode The access control information is only converted from a descriptor in the primary TLB to the micro-TLB, and the primary TLB indicated by the relevant flag is from the non-security table. 165 22. A data processing device as described in item 10 of the scope of patent application, wherein the memory contains at least one table containing relevant descriptors for each of a number of memory areas, and the memory management unit includes an internal A storage unit that stores the access control information derived from the descriptor with x, and the predetermined access and also used by the memory to respond to the memory access request to execute the memory access request.丨 ^ Two system months b, when the processor is operating in the at least ~ security mode, 'β operates the special partition detection logic to prevent the storage unit # ^ • sub-access control information, the access control The information system may allow access to the security μ'memory body 'and wherein the at least one table includes one less paged table. 23. A data processing device as described in item 1 () of the patent application scope, wherein the special memory includes an immediate memory connected to one of the system buses, and the physical address of the immediate memory The scope is defined as a control login, and when operating in a permission security mode, the processor can set a control flag to indicate whether the immediate memory system can be controlled by the processor when only a permission security mode is executed, Or it can be controlled by the processor when executing at least one non-security mode. 24. As described in item 23 of the scope of the application for patent-a kind of f material processing equipment, such as if executed in the system immediately following the memory at least one non-safety mode to prevent security data, at Controllable materials are stored in the memory immediately following 166 200417216. Neutral equipment is located in the entire establishment, and the food and beverage department has the material. The equipment is provided in the domain. The equipment is installed in the rational species. The equipment is controlled and stored in the domain. In the material package, set up a full material security department _ take Γ ¥ storage should take a t, save and take the domain to take the body of the French side of the network Quan Yi'an L equipment a device bus; a device, It is connected to the device bus and is operable to issue a memory access request related to either the secure domain or the non-secure domain; and a memory connected to the device bus and can Operate to store the data required by the device. The memory includes secure memory to store security data and non-secure memory to store non-secure data. The method includes the following steps: (i) when accessing When a data item is required in the memory, a memory access request is issued from the device to the device bus; and (ii) as long as the memory access request issued by the device is related to the non-security Sex domain, Use segmentation detection logic connected to the device's bus to detect whether the memory access request is an attempt to access the secure memory; and (iii) prevent such memory access requests from being detected based on such detections Designated access. 26 · 2 6. A method as described in item 25 of the scope of patent application, wherein the device can operate in multiple modes, including at least one in a non-secure domain 167 200417216 non-secure mode, and in a secure domain One of at least one security mode. 27. A method as described in item 25 of the scope of patent application, wherein the segmentation detection logic is managed by the device when operating in a predetermined security mode in the security domain. 28. A method as described in item 25 of the scope of patent application, wherein the memory access request issued by the device includes a domain signal that confirms whether the memory access request is related to the security domain or the non- Security network domain ^ 2 9. A method as described in item 28 of the patent application scope, wherein the device has a predetermined pin for outputting a network domain signal to the device bus. 30. A method as described in item 25 of the scope of patent application, wherein the segmentation detection logic is provided in an arbiter connected to the device bus to perform memory access requests issued to the device bus. Arbitration. 3 1. A method as described in item 25 of the scope of patent application, wherein in the non-secure network domain, the device can operate under the control of a non-secure operating system 168 200417216 and in the secure network domain The device can be operated under the control of a safe operating system. 32. A method according to item 25 of the scope of patent application, wherein the package is integrated with a chip of a processor, and the chip further includes a memory tube unit. When the processor generates a memory access request, the method includes Next steps: Use the memory management unit to perform one or more predetermined memory control functions to control the memory access request sent to the device bus. 33. A method as described in claim 32, wherein the crystal further comprises a special memory connected to the processor via a system bus, and the special memory is operable to store the required memory of the processor. The special memory includes security special memory for storing security data, and non-security special memory for storing non-safety materials; and special segmentation detection logic connected to the system bus, the method further includes The following steps: When operating in a non-security mode in the non-security domain, if the processor generates the memory access request, the special sub-detection logic is used to detect whether the memory access request is an attempt Access any of the security memory or the security special memory, and prevent the memory access request specified by the memory access request based on such detections 169 200417216 to take. 3 4 · According to a method described in item 33 of the scope of patent application, the processor is operable in a plurality of modes, including at least one non-security mode in the network domain, and one less security mode in the security. The at least one non-safety module can be operated under the control of a non-safety operating system, and in one less security mode, the processor can be operated under the control of a security system; and the special partition detection logic is controlled by The security works. 35. A method as described in item 34 of the scope of patent application, the processor is operated in the at least one non-security mode, and a virtual address is specified in the memory access request, so that the management unit executes a Or most of the predetermined access control steps are controlled by the non-secure operating system, and one of the predetermined access control functions includes the virtual address body address, and the special partition detection logic prevents access requests in step (iii) The specified access, if the physical address generated by the memory is in the security memory. 3 6. A method as described in item 34 of the scope of the patent application, where: the non-safety domain is up to, and the processing is performed in the place where the whole operation system is managed (i ) The pre-transformation performed by the step performed with the memory function is issued to stop the memory unit produced. When the 170 17017216 processor is operated in one of the at least one security mode, the issued The memory access request specifies a virtual address, so that the memory management unit performs one or most predetermined access functions controlled by the security operating system, and one of the access control functions performed includes The virtual address is converted into an address, and the special segmentation detection logic is not used in the at least one safety formula. 0 7. A method as described in item 36 of the patent application scope, in which all modes operated by the processor are In step (i), a memory access request is issued to specify a virtual address, the special partition detection logic is provided in the memory management list, and as long as the processor operates in the at least one non-security mode You can operate. 38. A method according to item 35 of the scope of patent application, wherein a memory protection unit, wherein the special partition detection logic memory protection unit is provided is managed by the security operating system, and the processor is operated In a specific security mode, the memory access request sent out specifies a memory location body address, the step of using the memory management unit to perform a predetermined access control function is not performed, and the The memory guarantee performs at least a memory access permission process to confirm whether the memory location specified by the address is accessible to the specific security step (i) using the physical full mode predetermined by the step to record In this token, the lifting operation further includes a series, in which, when one of the steps 实 is one or more of the protection unit entity holistic module 171 200417216 formula 0 3 9 · A method as described in item 34 of the scope of patent application , Wherein the memory contains at least one table containing relevant descriptors for each of a number of memory regions, the method includes the following steps: in a memory An internal storage unit is provided in the management unit to store the access control information derived from the descriptors, and the predetermined accesses used by the memory management unit to perform the memory access request. Control function; and when the processor is operating in the at least one non-security mode, the special partition detection logic can be operated to prevent the internal storage unit from storing access control information, which can allow access to the Security memory. 40. A method as described in claim 39, wherein the memory access request issued in step (i) specifies a virtual address, and the predetermined ones executed by the memory management unit. The access control function includes converting the virtual address to a physical address. Each descriptor includes at least a virtual address portion and a physical address portion corresponding to a memory area. The method includes the following steps: when the processor When operating in the at least one non-security mode, if the physical address generated for the virtual address is later in the security memory, the special partition detection logic is used to prevent the internal 172 417 216 The storage unit mistakenly stores the physical address part as the access control information. 41. As described in item 40 of the scope of the patent application, the M storage unit is-the transfer reference buffer (TL Β) can be operated as a The pseudo-address portion stores a corresponding physical address portion, which is obtained from intercepting the corresponding descriptor of the at least one table. 〇. A method as described in item 41 of the scope of patent application, wherein the system is a micro-TLB, and the internal storage unit further includes a descriptor for storing the descriptors from the at least one table by the memory management unit. , The method includes the following steps: before the memory management unit uses the access control information § the memory access request to perform the predetermined access control function, the main TLB converts the access control information to the micr0_TLB When the processor is operating in the at least one non-security mode, the special segment detection logic is used to prevent any access control information from being converted from the main TLB to the micro-TLB, and the access control protocol allows access to the Security recall. 43. A method as described in item 40 of the scope of patent application, wherein the descriptors in the security table are related to at least one of the parts that interact with the memory. § When the memory area is' the at least one contains a non The security table is used when the processor is operating in the internal virtual fetched from TLB TLB intercepted as the slave ^ 'so that the slave can be used in non-secure packets _ 173 200417216 in non-security mode and include the non- The descriptor generated by the security industry system includes the following steps: When the local device is operating in a non-security mode, the special partition detection logic is used to prevent the internal storage unit from storing the specified by the descriptor. The physical address part is access control information. If the physical address generated for the virtual address is in the security memory later: μ 44 · A method as described in item 42 of the scope of patent application, where When the descriptor in the non-security table relates to a memory area that at least partially interacts with part of the security memory, the at least one table contains a non-security The grid is used when the processor is operating in the at least-non-safe mode, and includes a descriptor generated by the non-safe operating system. The method includes the following steps: When the processor is operating in the non-safe mode The special partition detection logic is operable to prevent the internal storage unit from storing the description: The specified physical address portion is access control information, if "the physical address generated for the virtual & address is & The security & sexual history ^; and wherein the at least one form further includes a female general form located in the security memory, which contains the < description descriptor It main TLB generated by the security operating system A flag is included which is related to each descriptor stored in the main TLB, and the method includes the following steps: When the field descriptor is stored in the main TLB, the relevant 174 200417216 flag is set to confirm whether the descriptor It is from the non-security form or the security form. 45 · A method as described in the 44th scope of the patent application, further comprising the following steps: If the operation mode of the processor is changed between the security mode and a non-security mode, the micro-TLB is cleared. In the security mode, the access control information is only transferred from a descriptor in the main TLB to the micr. -TLB, and the main TLB indicated by the relevant flag is from the security table; and the access control information in the non-security mode is only converted from a descriptor in the main TLB to the micro-TLB, and The main TLB indicated by the relevant flag is from the non-security form. 46. A method as described in item 34 of the patent application scope, wherein the memory contains at least one form which contains each of a number of memory areas The method includes the following steps: An internal storage unit is provided in a memory management unit for storing the access control information derived from the descriptor and used by the memory management unit to execute the The predetermined access control function of the memory access request; and when the processor is operating in the at least one non-security mode, the special partition detection logic is used to The stopper access internal storage unit to store the control information 175,200,417,216 which allow access to the security memory; and wherein the at least one table comprises at least one page table. 47. A method as described in item 34 of the patent application, wherein the special memory includes an immediate memory connected to one of the system buses, the method includes the following steps: defining the immediate memory in a control register The physical address range of the entity; and when operating in a permission security mode, the processor sets a control flag to indicate whether the immediate memory system can be controlled by the processor when only a permission security mode is executed, Or it can be controlled by the processor when executing in the at least one non-security mode. 4 8. A method according to item 47 of the scope of patent application, wherein if executed in the at least one non-security mode, the processor can control the immediate memory to prevent storing security data in the immediate memory Connect to memory. 49. A data processing device comprising: a device bus; a device connected to the device bus and operable in most modes and a secure or non-secure domain included in a non-secure network At least one non-security mode of the domain and at least one security mode of the security network domain; 176 200417216 a memory connected to the device bus and operable to store data required by the device, the memory containing Security memory is used to store security data and non-secure memory is used to store non-secure data. When a data item in the memory needs to be accessed, the device can be operated to issue a memory access request to The device bus; using segmentation detection logic connected to the device bus and whenever the device operates in the at least one non-secure network domain, the device issues a memory storage request, which is operable to detect whether the memory access request An attempt is made to store the secure memory; and based on such detection, the access specified by the memory access request is prevented. 50. — A method for controlling memory access in a data processing device, the material processing device includes a device bus; a device connected to the device bus and operable in most modes and a security network A domain or a secure domain, including at least one non-secure mode in a non-secure domain and at least one security mode in a secure domain; and a token connected to the device bus and operable To store the data required by the device, the memory includes secure memory to store secure data and non-secure memory to store non-secure data. The party includes the following steps: (i) When accessing the memory When required data items in the body, a memory access request is issued from the device to the device bus; and (ii) when operating on the at least one non-secure domain, as long as the Retrieve the physical memory and install the non-memory memory method to install the 177 200417216 device to issue the memory access request, that is, use the segment detection logic connected to the device's bus to detect whether the memory access request Attempting to access the security memory; and (in) based on such detection, to prevent the memory access request specified by the access. 178